[whatwg] window.opener and security

Hallvord R M Steen hallvors at gmail.com
Tue Mar 20 04:40:02 PDT 2007

when a new window or tab is opened by a page it normally has a
"window.opener" property that points to the window object of the
original tab.

This happens whether the new window is opened by a JavaScript calling
window.open or by a link or form with target attribute set.

If an origin check fails when comparing the locations of the old
window and the popup, the normal cross-domain security policies apply.
This means that popup contents from a different site will not be
allowed to call methods or manipulate the DOM of the opener.

However, this cross-domain security policy has one exception: the
popup may set the location of its opener. This has phishing potential,
particularly for webmail where opening external links in a new window
is a very common use case. Hence I think it would be a good idea to
let a site opt-out and specify that the popup should not have a
window.opener property. For example, one could extend the "features"
argument of window.open:

window.open(url, name, 'openerproperty=0');



Hallvord R. M. Steen

More information about the whatwg mailing list