Getting access to a website’s window object is a common prerequisite for different XS-Leak techniques. Framing Protections can ensure that an attacker cannot use iframes to access the window object, but this does not stop an attacker from accessing the window object from an opened window through window.open(url) or window.opener references. Exploiting XS-Leaks with window.open is generally seen as the least appealing option for an attacker because the user can see it happen in the open brow...
