- From: Mike West <notifications@github.com>
- Date: Thu, 05 Apr 2018 00:06:52 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 5 April 2018 07:07:22 UTC
Thanks, @rniwa! > I'm not certain it makes sense to prevent window.open on the basis that some browsers don't support it today. If the purpose is to prevent an origin's data from entering a process, I'd suggest that we need to be as thorough as possible in reducing an attacker's opportunity. Because `window.open` gives the opening context a handle to the newly opened window, it gains script access to that window. Chrome's implementation only recently allowed us to push those newly opened windows into separate processes. I'd be thrilled to hear that other vendors have done the same. *shrug* -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-378840327
Received on Thursday, 5 April 2018 07:07:22 UTC