[whatwg] window.opener and security

Hallvord R M Steen hallvors at gmail.com
Tue Mar 20 09:17:27 PDT 2007


> >> 1) Either it is your responsibility to handle the nulling of the
> >> property *or*
> >> 2) It is the UA's.
> >
> > The UA can not do this. It would break legacy pages by resetting
> > window.opener if content comes from a different server.

> If this is a security point, which I take from the subject
> "window.opener and security" it is, there is no problem with a UA
> breaking an implementation that relied on insecurity.

Breaking *any* website is a problem. Yes, security is important. But
this is a problem with a clear and limited (ab)use case - mainly
webmails - and we can add a feature giving those relatively few
webmail sites some easy-to-use opt-in security.

> I can't think of a single reason that when a user navigates to
> another domain, you would want that domain to access your
> window.opener, so the UA clearly could do this.

If the primary domain is www.example.com and the other domain is
help.example.com the UA clearly should allow them to communicate by
request. Believe me, nulling window.opener if origin check fails will
break MANY sites.

And now I'm going to shut up. Really :)

-- 
Hallvord R. M. Steen



More information about the whatwg mailing list