[whatwg] window.opener and security
Gareth Hay
gazhay at gmail.com
Tue Mar 20 09:30:43 PDT 2007
> If the primary domain is www.example.com and the other domain is
> help.example.com the UA clearly should allow them to communicate by
> request. Believe me, nulling window.opener if origin check fails will
> break MANY sites.
This is not the point I am making, and I feel we are not
understanding one another.
I don't think I understand you, and you don't understand me.
I have personally written many applications which use window.open
windows, iframes, and such, and have *never* needed to 'spoof' the
browser into re-assigning a window.
The *potential* for security breach is if cross-domain scripting is
allowed, after a user has left your site.
If the UA nulls window.opener at that point, then it won't break
anything.
How many 3rd party websites are designed to run in a popup from
another domain?
As I said, the WebKit folks seem to think my idea of read-only was a
good one.
> Breaking *any* website is a problem. Yes, security is important. But
> this is a problem with a clear and limited (ab)use case - mainly
> webmails - and we can add a feature giving those relatively few
> webmail sites some easy-to-use opt-in security.
I disagree, Apache security fixes are rolled out, and the developer
is expected to cope, PHP roll out security fixes, and the developer
has to cope.
If the problem here is that a webmail vendor will not adjust his code
to work in a secure environment, then I am astounded.
If this post really isn't about security, then I think you need to
address the subject and actually detail what it is about.
More information about the whatwg
mailing list