[whatwg] window.opener and security

> 1) Either it is your responsibility to handle the nulling of the
> property *or*
> 2) It is the UA's.

The UA can not do this. It would break legacy pages by resetting
window.opener if content comes from a different server.

> I personally think the UA should handle it (as stated previously)
> **BUT** if they do not, you *ARE* responsible for programming
> correctly and using an unload to null the property when someone
> navigates away.

Wouldn't it then be cleaner to be able to tell the UA in advance that
the window should not have an .opener property?

> **AND** you seem to want this extension to cure a problem, that is
> also cured by window.opener.opener

You mean window.top.opener . No, that issue is in no way related to
the suggested extension.

-- 
Hallvord R. M. Steen

Received on Tuesday, 20 March 2007 08:45:47 UTC