[whatwg] window.opener and security

Hallvord R M Steen hallvors at gmail.com
Tue Mar 20 06:00:45 PDT 2007


On 20/03/07, Gareth Hay <gazhay at gmail.com> wrote:
> window.opener should be read-only and attempting to write to it
> should throw an exception.

I don't really see why setting opener would be dangerous, so I
disagree that it should throw. Anyway, that is a different issue. What
I'm talking about is the built-in behaviour - the browser itself sets
window.opener in all popups, and there is currently no way to open a
popup that is prevented from changing the location of its opener.

(An exception is Opera applying a stricter security policy if the
opener is an https page so in this case popup can't set location of
its opener, but I'm not sure if the other UAs do this.)

> This is a similar issue to window.history, in certain browsers you
> can write to this with js. It has no effect, but does persist across
> domains. The webkit team decided to just throw an exception if a
> write to window.history was detected. I don't know if it ever got
> implemented, or even if any of the other browser vendors addressed it.
>
> On 20 Mar 2007, at 11:40, Hallvord R M Steen wrote:
>
> > Hi,
> > when a new window or tab is opened by a page it normally has a
> > "window.opener" property that points to the window object of the
> > original tab.
> >
> > This happens whether the new window is opened by a JavaScript calling
> > window.open or by a link or form with target attribute set.
> >
> > If an origin check fails when comparing the locations of the old
> > window and the popup, the normal cross-domain security policies apply.
> > This means that popup contents from a different site will not be
> > allowed to call methods or manipulate the DOM of the opener.
> >
> > However, this cross-domain security policy has one exception: the
> > popup may set the location of its opener. This has phishing potential,
> > particularly for webmail where opening external links in a new window
> > is a very common use case. Hence I think it would be a good idea to
> > let a site opt-out and specify that the popup should not have a
> > window.opener property. For example, one could extend the "features"
> > argument of window.open:
> >
> > window.open(url, name, 'openerproperty=0');
> >
> > Thoughts?
> >
> > References:
> > http://my.opera.com/hallvors/blog/2007/03/14/window-opener-and-
> > security-an-unfixable-problem
> >
> > --
> > Hallvord R. M. Steen
>
>


-- 
Hallvord R. M. Steen



More information about the whatwg mailing list