- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 5 Jun 2007 06:47:23 +0000 (UTC)
- To: Boris Zbarsky <bzbarsky@MIT.EDU>
- Cc: "Web APIs WG (public)" <public-webapi@w3.org>
On Tue, 5 Jun 2007, Boris Zbarsky wrote:
>
> evil.com has:
>
> var win = window.open("http://victim.com", "login-popup");
>
> Now if victim.com does a window.open() into login-popup, not only does it
> overwrite itself (possibly unexpected), but evil.com gets a handle to the
> login-popup window. Generally unexpected behavior all around....
Getting a handle to login-popup is not a big deal. You could get that
anyway by just opening the login popup window yourself anyway. The fact
that the site overwrites itself is a bigger concern (usability, though,
not security); but I don't see what we can do about that.
> It almost seems like window names should be scoped to origins.... But I
> bet that would break some site somewhere. :(
Indeed, I tried doing that earlier and you complained, saying it would
break sites. :-)
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 5 June 2007 06:47:30 UTC