W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2007

[whatwg] window.opener and security

From: Hallvord R M Steen <hallvors@gmail.com>
Date: Tue, 20 Mar 2007 16:45:47 +0100
Message-ID: <dd4c8a40703200845o53e4c87dx5b2c247d065b0abb@mail.gmail.com>
> 1) Either it is your responsibility to handle the nulling of the
> property *or*
> 2) It is the UA's.

The UA can not do this. It would break legacy pages by resetting
window.opener if content comes from a different server.

> I personally think the UA should handle it (as stated previously)
> **BUT** if they do not, you *ARE* responsible for programming
> correctly and using an unload to null the property when someone
> navigates away.

Wouldn't it then be cleaner to be able to tell the UA in advance that
the window should not have an .opener property?

> **AND** you seem to want this extension to cure a problem, that is
> also cured by window.opener.opener

You mean window.top.opener . No, that issue is in no way related to
the suggested extension.

Hallvord R. M. Steen
Received on Tuesday, 20 March 2007 08:45:47 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:53 UTC