[whatwg] window.opener and security
Gareth Hay
gazhay at gmail.com
Tue Mar 20 08:03:01 PDT 2007
I think you are deliberately missing the point now...
On 20 Mar 2007, at 14:50, Hallvord R M Steen wrote:
> On 20/03/07, Gareth Hay <gazhay at gmail.com> wrote:
>> Anyway, for use case 1 - If you are worried about phishing attacks,
>> you should be using some sort of
>> onunload handler trapping to null window.opener.
>
> Yet you are arguing that it should be impossible to set window.opener.
> If you had your way that unload handler would simply throw an
> exception...
>
As was clearly stated, I showed a workaround and then suggested it
should be up to the UA to handle this situation.
It is not helpful to deliberately misunderstand points, and quote
them out of context. I suggest you re-read my mail.
> I will not follow up this discussion further because it is not
> relevant for the proposed window.open extension. I still think it
> would be useful to allow a page to open a popup without a
> window.opener property to protect itself from malicious address
> modification.
I also clearly stated on topic why I don't think this is required. So
that you didn't miss the point again, (deliberately or not)
1) Either it is your responsibility to handle the nulling of the
property *or*
2) It is the UA's.
I personally think the UA should handle it (as stated previously)
**BUT** if they do not, you *ARE* responsible for programming
correctly and using an unload to null the property when someone
navigates away.
**AND** you seem to want this extension to cure a problem, that is
also cured by window.opener.opener
Gareth
More information about the whatwg
mailing list