W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [widgets] API - openURL security considerations

From: Scott Wilson <scott.bradley.wilson@gmail.com>
Date: Sat, 20 Feb 2010 15:02:11 +0000
Cc: "public-webapps@w3.org" <public-webapps@w3.org>
Message-Id: <D4F3BD20-1E3D-4E74-94B4-F2D84BD59985@gmail.com>
To: Arve Bersvendsen <arveb@opera.com>

On 18 Feb 2010, at 21:52, Arve Bersvendsen wrote:

> On Thu, 18 Feb 2010 22:09:00 +0100, Scott Wilson <scott.bradley.wilson@gmail.com 
> > wrote:
>
>> Hi both,
>>
>> Apache Wookie (incubating) currently implements the widget.openURL
>> method by directly calling the browser's window.open() function - in
>> this example is there anything particularly special about the fact  
>> its
>> being called by a widget? Should our implementation do anything  
>> extra,
>> or is it better just leaving it to the browser to handle any  
>> problems?
>
> The way I view this is roughly as follows:
>
> 1. window.open() opens a URL within the context of the widget, for  
> instance for the purpose of authenticating a widget using something  
> like oAuth.
>
> 2. widget.openURL() is used to pass a URL from a widget to the  
> default protocol handler on a system for any given protocol, for  
> instance to pass a URL from the widget to the web browser on the  
> system, to place a phone call or pass a magnet link to a bittorrent  
> client
>
> The underlying difference here is that window.open would retain a  
> reference to the widget, usually through window.opener, while  
> widget.openURL is fire and forget.

Thanks, Arve, that's useful.

I guess in that case we should remove the reference to the widget's  
window from the new window, e.g.:

widget.openURL = function(url){
	remote = window.open(url);
	remote.opener = null;
}

> -- 
> Arve Bersvendsen
>
> Opera Software ASA, http://www.opera.com/



Received on Saturday, 20 February 2010 15:02:55 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:37 GMT