[whatwg] Chrome, Security and Popup Blocking

Matthew Raymond spacedog at planetquake.com
Thu Jun 10 20:25:26 PDT 2004


Ian Hickson, Thu Jun 10 12:18:23 PDT 2004:
 > One possibility would be for the application to be able to "request"
 > WAOB status, maybe using an attribute or something:
 >
 >   <html application="application">
 >
 > ...and this would pop up a dialog box saying:
 >
 >    :: Security Warning :::::::::::::::::::::::::::::::::::
 >    |                                                     |
 >    | The Web page at this domain:                        |
 >    |                                                     |
 >    |    paypcl.com                                       |
 >    |                                                     |
 >    | ...wishes to launch an application in a separate    |
 >    | window. Do you trust this domain?                   |
 >    |                                                     |
 >    | [x] Remember this decision.                         |
 >    |                                                     |
 >    |     (( Trust paypcl.com ))  ( Display as Web page ) |
 >    |                                                     |
 >    '-----------------------------------------------------'
 >
 > What do people think? Would this solve the problem?

    I think you almost have it, but not quite. Web apps can already 
bring up windows that don't have the chrome in IE 6.0 RIGHT NOW! We 
don't need additional attributes to control whether or not you can 
deactivate chrome. What we need are new guidelines for how 
popup-blocking technologies should deal with chrome deactivation.

    Here's the general idea: Instead of having the above dialog example 
triggered by a new "application" attribute, we simply detect whenever 
Javascript tries to create a window with no chrome, or when a web 
application contains Javascript that removes the chrome from its own 
window. This approach allows makers of popup-blocking software (which 
will soon include Microsoft) to control these kinds of applications 
without having to support new markup.

    In a nutshell: Forget the markup and concentrate on making "popup 
blocking" a more integral part of the browser security model.



More information about the whatwg mailing list