[whatwg] Chrome, Security and Popup Blocking
Matthew Raymond
spacedog at planetquake.com
Thu Jun 10 20:25:26 PDT 2004
Ian Hickson, Thu Jun 10 12:18:23 PDT 2004:
> One possibility would be for the application to be able to "request"
> WAOB status, maybe using an attribute or something:
>
> <html application="application">
>
> ...and this would pop up a dialog box saying:
>
> :: Security Warning :::::::::::::::::::::::::::::::::::
> | |
> | The Web page at this domain: |
> | |
> | paypcl.com |
> | |
> | ...wishes to launch an application in a separate |
> | window. Do you trust this domain? |
> | |
> | [x] Remember this decision. |
> | |
> | (( Trust paypcl.com )) ( Display as Web page ) |
> | |
> '-----------------------------------------------------'
>
> What do people think? Would this solve the problem?
I think you almost have it, but not quite. Web apps can already
bring up windows that don't have the chrome in IE 6.0 RIGHT NOW! We
don't need additional attributes to control whether or not you can
deactivate chrome. What we need are new guidelines for how
popup-blocking technologies should deal with chrome deactivation.
Here's the general idea: Instead of having the above dialog example
triggered by a new "application" attribute, we simply detect whenever
Javascript tries to create a window with no chrome, or when a web
application contains Javascript that removes the chrome from its own
window. This approach allows makers of popup-blocking software (which
will soon include Microsoft) to control these kinds of applications
without having to support new markup.
In a nutshell: Forget the markup and concentrate on making "popup
blocking" a more integral part of the browser security model.
More information about the whatwg
mailing list