Client-side redirect by target + Server-side redirect by attacker (tel)

This page shows a tel: (call) dialog in the target origin's tab, without a "from attacker.tld" notice.

How?

1. This page opens new window to target origin (https://www.google.com)
2. ...and then navigates this page in background to target-origin page (https://www.google.com/url?q=https://attacker.tld/...)
3. The target-origin page performs page-initiated redirect to malicious URL (https://attacker.tld/...)
4. Finally, the malicious URL performs a server-side redirect to tel: URL, which shows the dialog in the currently-active tab.