Calling `window.open('javascript:alert()') from the renderer causes unhandled exception #50059
Description
Preflight Checklist
- I have read the Contributing Guidelines for this project.
- I agree to follow the Code of Conduct that this project adheres to.
- I have searched the issue tracker for a bug report that matches the one I want to file, without success.
Electron Version
38 and up
What operating system(s) are you using?
macOS
Operating System Version
macOS Tahoe 26.2
What arch are you using?
arm64 (including Apple Silicon)
Last Known Working Electron version
Not sure
Does the issue also appear in Chromium / Google Chrome?
I don't know how to test
Expected Behavior
The page loads and the alert is shown.
Actual Behavior
The page throws an Invalid URL exception
Testcase Gist URL
https://gist.github.com/devinbinnie/cca61abe95811764736c99f2d6cb6799
Additional Information
This doesn't seem super exploitable if you don't allow any about:blank windows to open, or any non-HTTP URLs through, or any windows at all.
However in that case, you will see an exception thrown which will crash your app if not handled.
In Chrome, the alert seems to be shown as should be expected.