[whatwg] window.opener security issues (Was: WhatWG is broken)

On Wed, Nov 30, 2016 at 4:49 PM Michael A. Peters <mpeters@domblogger.net>
wrote:

>
> Right now the specification for window.opener() is seriously insecure,
> allowing for cross-domain script access by default.
>

I believe that's a bit of an overstatement. There are certainly risks
involved in window.opener (they're briefly discussed in the spec itself),
but it doesn't remove the origin checks.



> The reason they refuse to properly address the issue is because it would
> break OAuth.
>

I'm not sure who "they" is here, but since this is the first this topic has
come up on this list, would you mind providing us with some background?

For example, could you describe the security risk? How does it break OAuth?
Can you give an example of a page affected by this?

If there's a particular github issue where these topics have already been
discussed, then if you would like the broader WHATWG community to be aware
of these issues then I recommend linking to that issue in your e-mail to
the list. Many people following the list don't follow the github repository
closely enough to see every issue.


the browsers will not protect them unless the specification calls for it,
> and the specification will not call for it because the same companies
> that are heavily invested in OAuth run the WhatWG.
>

That's not really how the WHATWG works. I encourage you to read our FAQ:
   https://wiki.whatwg.org/wiki/FAQ

One factor to bear in mind in particular is that the specification has no
power. We could put whatever we want in the spec, but if browser vendors
don't want to implement it, it doesn't really matter, they'll just ignore
it.


If the WhatWG can't put the security of Internet users first, then it
> needs to be disbanded and replaced by a working group that will put the
> security of the users first.
>

There's already plenty too many working groups working on HTML as it is...

Cheers,
-- 
Ian Hickson

Received on Thursday, 1 December 2016 01:26:16 UTC