frames

@nickcherry uncovered a gnarly js issue while trying to lift same-origin restrictions on frame redirects. 

its appears unsafe to open a new browser window with an unsanitized url. 

if the url was javascript:console.log("wowow")), it executes inside the current sandbox, not the new window!

Technowatermelon. Elder Millenial. Building Farcaster. 

nf.td/varun

this seems to happen if you use window-location-href or window-open in major browsers. 

it does not appear to affect <a> tags as badly. the impact on react native environments is also not clear at this point.

path forward is we will lift the same origin restrictions to simplify redirects but require that clients sanitize links before handing it off to the browser context to open in a new window.