Client-side redirect by target + Server-side redirect by attacker (calc)

This page shows an external protocol dialog in the target origin's tab, with the target origin in the dialog. The omnibox and dialog origin match.

How?

1. This page opens new window to target origin (https://www.google.com)
2. ...and then navigates this page in background to target-origin page (https://www.google.com/url?q=https://attacker.tld/...)
3. The target-origin page performs page-initiated redirect to malicious URL (https://attacker.tld/...)
4. Finally, the malicious URL performs a server-side redirect to app protocol URL, which shows the dialog in the currently-active tab.

Attacker can repeatedly show dialogs by using an iframe (also demonstrated in PoC spoof-iframe-src-calc.html)

Repeated prompts work automatically.