[whatwg] Specify href target with HTTP headers
svartman95 at gmail.com
Wed Mar 7 14:53:14 PST 2012
On Wed, 07 Mar 2012 22:19:17 -0000, Christian Schmidt <whatwg.org at chsc.dk>
> I suggest that a server can specify a link target in an HTTP header,
> e.g. "Window-Target: _blank". The page would be equivalent to specifying
> the same value in the <form> or <a> tag leading to the page. It should
> probably be subject to some kind of restrictions, e.g. the header could
> be ignored if the link destination and the referring page had different
> origins, unless the referring page specified some special value in the
> target, e.g. _server (this value would indicate that the link
> destination is a somewhat trusted resource whose Window-Target header
> should be honoured). This ensures that the referring origin is always in
> control of the target.
We should describe the security implications of lifting said restrictions
(if any) in the rationale document, for when someone is burdened by these
restrictions and can't figure if they were added for erring on the side of
security or to address some specific security problems.
> It seems there was such a header (to some extent, at least) back in
> Netscape 4:
> The Content-Disposition: attachment/inline header does something related
> not entirely. Its was originally invented for use in MIME mails.
Content-Disposition seems like the "correct" header to use to me, but
using the previously implemented header is fair enough. Window-Target and
Content-Disposition must not appear in the same message, as the semantics
of the former are a subset of the semantics of the latter AFAICT.
> Use-case #1:
> Sometimes the form target cannot be determined until after the form has
> been submitted. Assume you have a form of some kind. If the server-side
> validation fails, you want to load the same page again (this time with
> an error message) in the same window, but if the server-side validation
> succeeds, you want to open a new window, e.g. containting a PDF or some
> application-like window. This behaviour is sometimes done using
> window.open() on the target page, but many popup blockers prevent this.
Separating the network protocol from the user interface seems highly
desirable. Window-Target sacrifices that. Would it not be more appropriate
to return an error response clearly marked as such? That, however, would
leave the issue of connecting error messages to specific form fields.
> Use-case #2:
> In Drupal 8 the administrative pages are opened in an overlay/lightbox
> on top of the frontend pages. For each URL it is specified (by means of
> wildcard patterns in hook_admin_paths()) whether it should open in the
> overlay or in the entire browser window, i.e. whether the URL is an
> administrative page or not. For each link on a page the target attribute
> should be specified accordingly (this is handled client-side using a
> click handler on <a> elements that matches the current href against the
> wildcard patterns and dynamically alters the target attribute - see
> Drupal.overlay.eventhandlerOverrideLink in ). Contrary to use-case #1
> it /is/ possible to preprocess all links, but it is a lot of work for
> all links on a page. It would be easier if the server could determine,
> whether the link that was actually clicked on should open in the overlay
> or not.
Note that you can also annotate the links with target hints server-side
when you serve the frontend pages. While Window-Target may not be a great
solution to this problem, I can't think of a better one ATM.
> On <a> and <form> elements you can specify a target attribute, e.g.
> _blank. But sometimes you don't know whether to open in _self or _blank
> at the time the link is clicked/the form is submitted.
The questions are, what information is necessary to decide whether to
reuse the browsing context or not, and what other decisions depend on the
More information about the whatwg