[whatwg] Proposal for Links to Unrelated Browsing Contexts

Glenn Maynard glenn at zewt.org
Mon Oct 1 16:52:23 PDT 2012

On Mon, Oct 1, 2012 at 5:10 PM, Ian Hickson <ian at hixie.ch> wrote:

>  >  + have the new page be in a new browsing context
> ...it's a new browsing context (e.g. target="_blank").

I'm not very familiar with the browsing context concept: what's the
practical security issue here?  It should never be necessary to open a new
window to invoke security features, since in general opening new windows
without a good UI reason is extremely rude.  (A good UI reason is "this is
an expensive-to-load web app that's typically used over a long term, so you
rarely want to replace the tab with links", eg. Gmail.  The all-too-common
bad reason is "we want people to keep pages open in the user's browser for
long as possible in the hopes that it'll make them come back by accident,
so we'll sprinkle target=_blank everywhere", eg. amazon.co.jp makes *every
search result* target=_blank.)  This is abused so constantly that I disable
it with browser.link.open_newwindow in FF.

If there are security features that are only accessible with target=_blank,
they should be accessible without the antisocial behavior of opening new
windows/tabs that the user didn't ask for.  (If there are security issues
with opening links in the same tab in the first place, I'm interested in
knowing what they are.)

Glenn Maynard

More information about the whatwg mailing list