Ian Hickson wrote: >> And this doesn't really address the concern I raised about window.name >> (and window targeting) seeing names set by some other site when it >> opened you in a popup... > > That wasn't what the bug was about; could you elaborate on this concern > further? I'm not sure I remember which it was. evil.com has: var win = window.open("http://victim.com", "login-popup"); Now if victim.com does a window.open() into login-popup, not only does it overwrite itself (possibly unexpected), but evil.com gets a handle to the login-popup window. Generally unexpected behavior all around.... It almost seems like window names should be scoped to origins.... But I bet that would break some site somewhere. :( -BorisReceived on Tuesday, 5 June 2007 06:36:02 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:57 GMT