[whatwg] window.opener and security

Hallvord R M Steen hallvors at gmail.com
Tue Mar 20 07:50:47 PDT 2007


On 20/03/07, Gareth Hay <gazhay at gmail.com> wrote:
> Anyway, for use case 1 - If you are worried about phishing attacks,
> you should be using some sort of
> onunload handler trapping to null window.opener.

Yet you are arguing that it should be impossible to set window.opener.
If you had your way that unload handler would simply throw an
exception...

I will not follow up this discussion further because it is not
relevant for the proposed window.open extension. I still think it
would be useful to allow a page to open a popup without a
window.opener property to protect itself from malicious address
modification.

-- 
Hallvord R. M. Steen



More information about the whatwg mailing list