[whatwg] window.opener and security

Gareth Hay gazhay at gmail.com
Tue Mar 20 08:03:01 PDT 2007


I think you are deliberately missing the point now...

On 20 Mar 2007, at 14:50, Hallvord R M Steen wrote:

> On 20/03/07, Gareth Hay <gazhay at gmail.com> wrote:
>> Anyway, for use case 1 - If you are worried about phishing attacks,
>> you should be using some sort of
>> onunload handler trapping to null window.opener.
>
> Yet you are arguing that it should be impossible to set window.opener.
> If you had your way that unload handler would simply throw an
> exception...
>
As was clearly stated, I showed a workaround and then suggested it  
should be up to the UA to handle this situation.
It is not helpful to deliberately misunderstand points, and quote  
them out of context. I suggest you re-read my mail.

> I will not follow up this discussion further because it is not
> relevant for the proposed window.open extension. I still think it
> would be useful to allow a page to open a popup without a
> window.opener property to protect itself from malicious address
> modification.

I also clearly stated on topic why I don't think this is required. So  
that you didn't miss the point again, (deliberately or not)

1) Either it is your responsibility to handle the nulling of the  
property *or*
2) It is the UA's.

I personally think the UA should handle it (as stated previously)
**BUT** if they do not, you *ARE* responsible for programming  
correctly and using an unload to null the property when someone  
navigates away.

**AND** you seem to want this extension to cure a problem, that is  
also cured by window.opener.opener

Gareth



More information about the whatwg mailing list