@nickcherry uncovered a gnarly js issue while trying to lift same-origin restrictions on frame redirects. 

its appears unsafe to open a new browser window with an unsanitized url. 

if the url was javascript:console.log("wowow")), it executes inside the current sandbox, not the new window!

Technowatermelon. Elder Millenial. Building Farcaster. 

nf.td/varun

this seems to happen if you use window-location-href or window-open in major browsers. 

it does not appear to affect <a> tags as badly. the impact on react native environments is also not clear at this point.

RN is immune for the record, what a champ