W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2016

Re: Changing window.name behavior

From: John Wilander <wilander@apple.com>
Date: Wed, 07 Dec 2016 13:28:23 -0800
Message-id: <C187C3D7-97DB-4840-83AE-F550D693FED9@apple.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Dan Anderson <dan-anderson@cox.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
To: Mike West <mkwst@google.com>
We now clear window.name on cross-origin navigation in Safari Technology Preview:
https://webkit.org/blog/7093/release-notes-for-safari-technology-preview-19/

The gist of the change:
(WebCore::shouldClearWindowName): Returns true if frame is a main frame with no opener and
newDocument does not have the same origin as the frame's current document.

Full change set including test cases:
https://trac.webkit.org/changeset/209076/trunk/Source

Please let us know if any of you decide to move in a similar direction or hear about breakage. Thanks!

   Regards, John

> On Jul 19, 2016, at 1:12 AM, Mike West <mkwst@google.com> wrote:
> 
> https://www.iab.com/wp-content/uploads/2014/08/SafeFrames_v1.1_final.pdf <https://www.iab.com/wp-content/uploads/2014/08/SafeFrames_v1.1_final.pdf> came to my attention this morning. Section 2.4 outlines the way it uses `window.name <http://window.name/>` to serialize "configuration attributes of: a particular SafeFrame position configuration, metadata, and the content to be rendered" across origins.
> 
> Like it or not, it would probably be a good idea to make sure we're not breaking this ad delivery system without thinking about it first. :)
> 
> -mike
> 
> On Mon, Jul 18, 2016 at 9:18 AM, Anne van Kesteren <annevk@annevk.nl <mailto:annevk@annevk.nl>> wrote:
> On Thu, Jul 7, 2016 at 9:11 PM, Dan Anderson <dan-anderson@cox.net <mailto:dan-anderson@cox.net>> wrote:
> > Maybe open a bug report for the browsers that are not following the specs?
> >
> > I think there was one for Mozilla once.
> 
> See https://bugzilla.mozilla.org/show_bug.cgi?id=444222 <https://bugzilla.mozilla.org/show_bug.cgi?id=444222>. I think we
> basically lack someone to work on it...
> 
> 
> --
> https://annevankesteren.nl/ <https://annevankesteren.nl/>
> 
> 
Received on Wednesday, 7 December 2016 21:28:59 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:21 UTC