W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2007

[whatwg] window.opener and security

From: Gareth Hay <gazhay@gmail.com>
Date: Tue, 20 Mar 2007 13:06:01 +0000
Message-ID: <E6FA0E6D-C5D5-4961-AFA9-C23F214F2ECF@gmail.com>
Well, window.opener is conceptually a link from child to parent.
Can you give a valid use-case for adoption of the child to another  
parent?

On 20 Mar 2007, at 13:00, Hallvord R M Steen wrote:

> On 20/03/07, Gareth Hay <gazhay at gmail.com> wrote:
>> window.opener should be read-only and attempting to write to it
>> should throw an exception.
>
> I don't really see why setting opener would be dangerous, so I
> disagree that it should throw. Anyway, that is a different issue. What
> I'm talking about is the built-in behaviour - the browser itself sets
> window.opener in all popups, and there is currently no way to open a
> popup that is prevented from changing the location of its opener.
>
> (An exception is Opera applying a stricter security policy if the
> opener is an https page so in this case popup can't set location of
> its opener, but I'm not sure if the other UAs do this.)
>
Received on Tuesday, 20 March 2007 06:06:01 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:53 UTC