- From: Anne van Kesteren <annevk@opera.com>
- Date: Fri, 19 Sep 2008 11:16:24 +0200
- To: "Hallvord R. M. Steen" <hallvord@opera.com>, "Lachlan Hunt" <lachlan.hunt@lachy.id.au>
- Cc: public-html@w3.org
On Fri, 19 Sep 2008 11:11:35 +0200, Hallvord R. M. Steen <hallvord@opera.com> wrote: > On Thu, 18 Sep 2008 22:33:46 +0200, Lachlan Hunt > <lachlan.hunt@lachy.id.au> wrote: > >>> If this is in the spec we had better drop it - perhaps a brand new >>> value like <a target="_standalone" href="..."> could do the job but >>> we can't change _blank. >> >> We don't need a new value for this because no-one has demonstrated that >> there is a real problem here that needs solving. Until that happens, >> coming up with potential solutions really isn't worthwhile. > > I happen to think there is a real problem here, which is why Opera tried > changing the implementation: a site should be able to declare "this link > should open a new window but should not be able to 'reference' me (or in > HTML5 terms: be considered part of my related browsing contexts)". > > In fact, window.opener being set if the openee is an untrusted site is a > security problem in the current window.opener design. rel="noreferrer" solves that issue. Browsers should probably start implementing it: http://www.whatwg.org/specs/web-apps/current-work/multipage/structured.html#link-type8 -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Friday, 19 September 2008 09:16:38 UTC