[whatwg] window.opener and security
Hallvord R M Steen
hallvors at gmail.com
Tue Mar 20 04:40:02 PDT 2007
Hi,
when a new window or tab is opened by a page it normally has a
"window.opener" property that points to the window object of the
original tab.
This happens whether the new window is opened by a JavaScript calling
window.open or by a link or form with target attribute set.
If an origin check fails when comparing the locations of the old
window and the popup, the normal cross-domain security policies apply.
This means that popup contents from a different site will not be
allowed to call methods or manipulate the DOM of the opener.
However, this cross-domain security policy has one exception: the
popup may set the location of its opener. This has phishing potential,
particularly for webmail where opening external links in a new window
is a very common use case. Hence I think it would be a good idea to
let a site opt-out and specify that the popup should not have a
window.opener property. For example, one could extend the "features"
argument of window.open:
window.open(url, name, 'openerproperty=0');
Thoughts?
References:
http://my.opera.com/hallvors/blog/2007/03/14/window-opener-and-security-an-unfixable-problem
--
Hallvord R. M. Steen
More information about the whatwg
mailing list