- From: Hallvord R M Steen <hallvors@gmail.com>
- Date: Tue, 20 Mar 2007 12:40:02 +0100
Hi, when a new window or tab is opened by a page it normally has a "window.opener" property that points to the window object of the original tab. This happens whether the new window is opened by a JavaScript calling window.open or by a link or form with target attribute set. If an origin check fails when comparing the locations of the old window and the popup, the normal cross-domain security policies apply. This means that popup contents from a different site will not be allowed to call methods or manipulate the DOM of the opener. However, this cross-domain security policy has one exception: the popup may set the location of its opener. This has phishing potential, particularly for webmail where opening external links in a new window is a very common use case. Hence I think it would be a good idea to let a site opt-out and specify that the popup should not have a window.opener property. For example, one could extend the "features" argument of window.open: window.open(url, name, 'openerproperty=0'); Thoughts? References: http://my.opera.com/hallvors/blog/2007/03/14/window-opener-and-security-an-unfixable-problem -- Hallvord R. M. Steen
Received on Tuesday, 20 March 2007 04:40:02 UTC