Re: [whatwg] Proposal for Links to Unrelated Browsing Contexts from Ian Hickson on 2012-08-27 (public-whatwg-archive@w3.org from August 2012)

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 27 Aug 2012 23:46:33 +0000 (UTC)
To: Charlie Reis <creis@chromium.org>
Cc: whatwg@lists.whatwg.org
Message-ID: <Pine.LNX.4.64.1208272343450.30734@ps20323.dreamhostps.com>

On Wed, 6 Jun 2012, Charlie Reis wrote:
>
>   I've posted a new proposal to the WhatWG wiki to give web sites a way 
> to open a link in an unrelated browsing context.  These links would open 
> in a new window with no script connections back to the original site, 
> which is useful for web apps like Gmail that open user-contributed 
> links.  Also, this could allow multi-process browsers like Google Chrome 
> to open the new page in a separate process.
> 
>   Any feedback on the proposal is appreciated! 
> http://wiki.whatwg.org/wiki/Links_to_Unrelated_Browsing_Contexts

It's not entirely clear to me what the desired behaviour is here. Which of 
the following are considered features that we need to provide? Which are 
secondary goals, which are non-goals, which are anti-goals?

 + have "window.opener" not be set
 + have the window.name of the new page be set to ""
 + have the window of the new page not be able to reach the opener via
   a named window.open() or target=""
 + have the referer header be cleared on the load of the new page
 + have the sessionStorage not be cloned for the new page's browsing
   context
 + have the new page use a different event loop if possible (new process)
 + have the new page be in a different unit of related browsing contexts
 + have the new page be in a new browsing context
 + have the new page be in the same browsing context

Does this need to be done from window.open()? From <a href>? From <form 
action>? Is this a symmetric feature?

At a more fundamental level: what are the use cases here? Is it just 
e-mail clients that want to open links? What are the attack scenarios? Is 
it just links in e-mails getting at the e-mail app somehow?

Without more details like the above it's hard to evaluate the proposals.
 
-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Monday, 27 August 2012 23:47:01 UTC