[whatwg] window.opener and security

Gareth Hay gazhay at gmail.com
Tue Mar 20 09:30:43 PDT 2007


> If the primary domain is www.example.com and the other domain is
> help.example.com the UA clearly should allow them to communicate by
> request. Believe me, nulling window.opener if origin check fails will
> break MANY sites.

This is not the point I am making, and I feel we are not  
understanding one another.
I don't think I understand you, and you don't understand me.

I have personally written many applications which use window.open  
windows, iframes, and such, and have *never* needed to 'spoof' the  
browser into re-assigning a window.

The *potential* for security breach is if cross-domain scripting is  
allowed, after a user has left your site.
If the UA nulls window.opener at that point, then it won't break  
anything.
How many 3rd party websites are designed to run in a popup from  
another domain?

As I said, the WebKit folks seem to think my idea of read-only was a  
good one.

> Breaking *any* website is a problem. Yes, security is important. But
> this is a problem with a clear and limited (ab)use case - mainly
> webmails - and we can add a feature giving those relatively few
> webmail sites some easy-to-use opt-in security.

I disagree, Apache security fixes are rolled out, and the developer  
is expected to cope, PHP roll out security fixes, and the developer  
has to cope.
If the problem here is that a webmail vendor will not adjust his code  
to work in a secure environment, then I am astounded.

If this post really isn't about security, then I think you need to  
address the subject and actually detail what it is about.



More information about the whatwg mailing list