W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2007

[whatwg] window.opener and security

From: Gareth Hay <gazhay@gmail.com>
Date: Tue, 20 Mar 2007 15:03:01 +0000
Message-ID: <08076197-00E6-4981-A004-4D1CA3D79108@gmail.com>
I think you are deliberately missing the point now...

On 20 Mar 2007, at 14:50, Hallvord R M Steen wrote:

> On 20/03/07, Gareth Hay <gazhay at gmail.com> wrote:
>> Anyway, for use case 1 - If you are worried about phishing attacks,
>> you should be using some sort of
>> onunload handler trapping to null window.opener.
>
> Yet you are arguing that it should be impossible to set window.opener.
> If you had your way that unload handler would simply throw an
> exception...
>
As was clearly stated, I showed a workaround and then suggested it  
should be up to the UA to handle this situation.
It is not helpful to deliberately misunderstand points, and quote  
them out of context. I suggest you re-read my mail.

> I will not follow up this discussion further because it is not
> relevant for the proposed window.open extension. I still think it
> would be useful to allow a page to open a popup without a
> window.opener property to protect itself from malicious address
> modification.

I also clearly stated on topic why I don't think this is required. So  
that you didn't miss the point again, (deliberately or not)

1) Either it is your responsibility to handle the nulling of the  
property *or*
2) It is the UA's.

I personally think the UA should handle it (as stated previously)
**BUT** if they do not, you *ARE* responsible for programming  
correctly and using an unload to null the property when someone  
navigates away.

**AND** you seem to want this extension to cure a problem, that is  
also cured by window.opener.opener

Gareth
Received on Tuesday, 20 March 2007 08:03:01 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:53 UTC