fix an image uploading / real time preview issue without introducing an XSS vulnerability. Sep 2016: Ingrid has a backend and infra background, so she goes and decides to look more into it.
newly opened tab can change the window.opener.location to a phishing page some of the permissions are automatically negated by cross-domain restrictions, but window.location is fair game