[whatwg] window.opener and security
gazhay at gmail.com
Tue Mar 20 08:03:01 PDT 2007
I think you are deliberately missing the point now...
On 20 Mar 2007, at 14:50, Hallvord R M Steen wrote:
> On 20/03/07, Gareth Hay <gazhay at gmail.com> wrote:
>> Anyway, for use case 1 - If you are worried about phishing attacks,
>> you should be using some sort of
>> onunload handler trapping to null window.opener.
> Yet you are arguing that it should be impossible to set window.opener.
> If you had your way that unload handler would simply throw an
As was clearly stated, I showed a workaround and then suggested it
should be up to the UA to handle this situation.
It is not helpful to deliberately misunderstand points, and quote
them out of context. I suggest you re-read my mail.
> I will not follow up this discussion further because it is not
> relevant for the proposed window.open extension. I still think it
> would be useful to allow a page to open a popup without a
> window.opener property to protect itself from malicious address
I also clearly stated on topic why I don't think this is required. So
that you didn't miss the point again, (deliberately or not)
1) Either it is your responsibility to handle the nulling of the
2) It is the UA's.
I personally think the UA should handle it (as stated previously)
**BUT** if they do not, you *ARE* responsible for programming
correctly and using an unload to null the property when someone
**AND** you seem to want this extension to cure a problem, that is
also cured by window.opener.opener
More information about the whatwg