[whatwg] window.opener and security

Gareth Hay gazhay at gmail.com
Tue Mar 20 06:06:01 PDT 2007


Well, window.opener is conceptually a link from child to parent.
Can you give a valid use-case for adoption of the child to another  
parent?

On 20 Mar 2007, at 13:00, Hallvord R M Steen wrote:

> On 20/03/07, Gareth Hay <gazhay at gmail.com> wrote:
>> window.opener should be read-only and attempting to write to it
>> should throw an exception.
>
> I don't really see why setting opener would be dangerous, so I
> disagree that it should throw. Anyway, that is a different issue. What
> I'm talking about is the built-in behaviour - the browser itself sets
> window.opener in all popups, and there is currently no way to open a
> popup that is prevented from changing the location of its opener.
>
> (An exception is Opera applying a stricter security policy if the
> opener is an https page so in this case popup can't set location of
> its opener, but I'm not sure if the other UAs do this.)
>




More information about the whatwg mailing list