- From: Boris Zbarsky <bzbarsky@mit.edu>
- Date: Tue, 18 Apr 2006 18:51:42 -0500
- To: Maciej Stachowiak <mjs@apple.com>
- CC: "Web APIs WG (public)" <public-webapi@w3.org>
Maciej Stachowiak wrote: > The name set by "window.open" persists across document loads normally, > and this seems analogous. True, but there the name is set by the thing that "owns" the window, in some sense.... > Can you think of a way the existing browser behavior might be exploitable? Well, browsers can target windows they've opened, so by setting window.name a site B opened from another site A can control which frames targeted links and window.open calls from site A are loaded in.. > Conversely, do you have a proposal for what the behavior should be? Perhaps the window targeting checks should check against whoever set window.name (including by opening the window) instead of just checking against the opener? I think we could then allow sites to change window.name without introducing problems. -Boris
Received on Tuesday, 18 April 2006 23:51:55 UTC