W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2012

Re: [whatwg] Proposal for Links to Unrelated Browsing Contexts

From: Glenn Maynard <glenn@zewt.org>
Date: Mon, 1 Oct 2012 18:52:23 -0500
Message-ID: <CABirCh_2tiY7sRLCH-tC3=0GYqhYvKPeYLktEX6ZK-40gC2=iA@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: whatwg@whatwg.org
On Mon, Oct 1, 2012 at 5:10 PM, Ian Hickson <ian@hixie.ch> wrote:

>  >  + have the new page be in a new browsing context
>
> ...it's a new browsing context (e.g. target="_blank").
>

I'm not very familiar with the browsing context concept: what's the
practical security issue here?  It should never be necessary to open a new
window to invoke security features, since in general opening new windows
without a good UI reason is extremely rude.  (A good UI reason is "this is
an expensive-to-load web app that's typically used over a long term, so you
rarely want to replace the tab with links", eg. Gmail.  The all-too-common
bad reason is "we want people to keep pages open in the user's browser for
long as possible in the hopes that it'll make them come back by accident,
so we'll sprinkle target=_blank everywhere", eg. amazon.co.jp makes *every
search result* target=_blank.)  This is abused so constantly that I disable
it with browser.link.open_newwindow in FF.

If there are security features that are only accessible with target=_blank,
they should be accessible without the antisocial behavior of opening new
windows/tabs that the user didn't ask for.  (If there are security issues
with opening links in the same tab in the first place, I'm interested in
knowing what they are.)

-- 
Glenn Maynard
Received on Monday, 1 October 2012 23:53:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:10 GMT