[whatwg] window.opener and security

Gareth Hay gazhay at gmail.com
Tue Mar 20 04:44:34 PDT 2007


window.opener should be read-only and attempting to write to it  
should throw an exception.

This is a similar issue to window.history, in certain browsers you  
can write to this with js. It has no effect, but does persist across  
domains. The webkit team decided to just throw an exception if a  
write to window.history was detected. I don't know if it ever got  
implemented, or even if any of the other browser vendors addressed it.

On 20 Mar 2007, at 11:40, Hallvord R M Steen wrote:

> Hi,
> when a new window or tab is opened by a page it normally has a
> "window.opener" property that points to the window object of the
> original tab.
>
> This happens whether the new window is opened by a JavaScript calling
> window.open or by a link or form with target attribute set.
>
> If an origin check fails when comparing the locations of the old
> window and the popup, the normal cross-domain security policies apply.
> This means that popup contents from a different site will not be
> allowed to call methods or manipulate the DOM of the opener.
>
> However, this cross-domain security policy has one exception: the
> popup may set the location of its opener. This has phishing potential,
> particularly for webmail where opening external links in a new window
> is a very common use case. Hence I think it would be a good idea to
> let a site opt-out and specify that the popup should not have a
> window.opener property. For example, one could extend the "features"
> argument of window.open:
>
> window.open(url, name, 'openerproperty=0');
>
> Thoughts?
>
> References:
> http://my.opera.com/hallvors/blog/2007/03/14/window-opener-and- 
> security-an-unfixable-problem
>
> -- 
> Hallvord R. M. Steen




More information about the whatwg mailing list