- From: David Bokan <notifications@github.com>
- Date: Thu, 10 Oct 2019 11:50:58 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 10 October 2019 18:51:01 UTC
It was pointed out in the [I2S](https://docs.google.com/document/u/2/d/1She9CdLFQiNNZiBHdLYTdlRAA4vGOeAF8_3VI4Lc9yw/edit?ts=5d967698) that we never resolved @annevk's point above. > I couldn't find a description of how "Restricted to pages without an opener (no window.open)" is managed. (In particular, if A1 opens a popup A2 which then navigates A1 to V, V won't have an opener, but we certainly don't want this to work there.) Sorry about that, pasting my recent reply from there: > Apologies, we did go over this internally with our security reviewers but I forgot to reply on the thread. The outcome was that we consider this one of several mitigations, rather than a hard security boundary. Given that this means a popup is visible, and the attacker would need to phish user gestures, and they can only search on word boundaries, and they would still need some exploit to determine a cross-origin scroll, we felt that this wasn't concerning enough to add a ton of complexity to lock down further. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/392#issuecomment-540724030
Received on Thursday, 10 October 2019 18:51:01 UTC