opener property so that the page we open can't call
window.opener and get full control of our Salesforce instance.
The common way to do this (from the article) in code is:
const otherWindow = window.open(); otherWindow.opener = null; otherWindow.location = url;
However, in Salesforce components, the window object appears to be destroyed and not the browser window. So the first call to
window.open() immediately opens a window to a location like:
How do we prevent security flaws with the destroyed Aura component
After tracing through the source, it looks like using an undefined first parameter is what causes this behavior. You can fix the first part by explicitly providing an empty url:
However, once you do this, otherWindow is now a SecureWindow, so you won't get access to otherWindow.location (it will return as undefined). In other words, this path is a non-starter.
You could probably use the lightning:navigation component to specify a location, but this won't work outside of basic Lightning experiences (Lightning, Communities, Mobile App), so not available in Lightning Out or Lightning Apps, etc.
I'd recommend logging a bug, as I'm pretty sure it is one. It should also be reasonable for SecureWindow to provide access to the remote site's location attribute (perhaps filtered to be write-only?). For now, you will probably want to just open a page you know you control (e.g. a Visualforce page) and use that to springboard to the final destination securely.