W3C home > Mailing lists > Public > public-webapi@w3.org > June 2007

Re: ACTION-61: text for embedding part of the Window object

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 5 Jun 2007 06:47:23 +0000 (UTC)
To: Boris Zbarsky <bzbarsky@MIT.EDU>
Cc: "Web APIs WG (public)" <public-webapi@w3.org>
Message-ID: <Pine.LNX.4.64.0706050646070.13385@dhalsim.dreamhost.com>

On Tue, 5 Jun 2007, Boris Zbarsky wrote:
> 
> evil.com has:
> 
> var win = window.open("http://victim.com", "login-popup");
> 
> Now if victim.com does a window.open() into login-popup, not only does it
> overwrite itself (possibly unexpected), but evil.com gets a handle to the
> login-popup window.  Generally unexpected behavior all around....

Getting a handle to login-popup is not a big deal. You could get that 
anyway by just opening the login popup window yourself anyway. The fact 
that the site overwrites itself is a bigger concern (usability, though, 
not security); but I don't see what we can do about that.


> It almost seems like window names should be scoped to origins....  But I 
> bet that would break some site somewhere.  :(

Indeed, I tried doing that earlier and you complained, saying it would 
break sites. :-)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 5 June 2007 06:47:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:57 GMT