[whatwg] window.opener and security
Gareth Hay
gazhay at gmail.com
Tue Mar 20 06:06:01 PDT 2007
Well, window.opener is conceptually a link from child to parent.
Can you give a valid use-case for adoption of the child to another
parent?
On 20 Mar 2007, at 13:00, Hallvord R M Steen wrote:
> On 20/03/07, Gareth Hay <gazhay at gmail.com> wrote:
>> window.opener should be read-only and attempting to write to it
>> should throw an exception.
>
> I don't really see why setting opener would be dangerous, so I
> disagree that it should throw. Anyway, that is a different issue. What
> I'm talking about is the built-in behaviour - the browser itself sets
> window.opener in all popups, and there is currently no way to open a
> popup that is prevented from changing the location of its opener.
>
> (An exception is Opera applying a stricter security policy if the
> opener is an https page so in this case popup can't set location of
> its opener, but I'm not sure if the other UAs do this.)
>
More information about the whatwg
mailing list