W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2007

[whatwg] window.opener and security

From: Gareth Hay <gazhay@gmail.com>
Date: Tue, 20 Mar 2007 15:52:58 +0000
Message-ID: <52C14B94-6449-46CC-A459-0A1F5636F3C6@gmail.com>

On 20 Mar 2007, at 15:45, Hallvord R M Steen wrote:

>> 1) Either it is your responsibility to handle the nulling of the
>> property *or*
>> 2) It is the UA's.
>
> The UA can not do this. It would break legacy pages by resetting
> window.opener if content comes from a different server.
>
If this is a security point, which I take from the subject  
"window.opener and security" it is, there is no problem with a UA  
breaking an implementation that relied on insecurity.
I can't think of a single reason that when a user navigates to  
another domain, you would want that domain to access your  
window.opener, so the UA clearly could do this.

>> I personally think the UA should handle it (as stated previously)
>> **BUT** if they do not, you *ARE* responsible for programming
>> correctly and using an unload to null the property when someone
>> navigates away.
>
> Wouldn't it then be cleaner to be able to tell the UA in advance that
> the window should not have an .opener property?
>
Isn't this about security?
There is no security risk allowing your own window to access .opener.
When you switch domains, the UA either nulls it, or as is the current  
case, on WebKit at least, it throws exceptions when you try to access  
it.

I don't see the need for this property at all.

>> **AND** you seem to want this extension to cure a problem, that is
>> also cured by window.opener.opener
>
> You mean window.top.opener . No, that issue is in no way related to
> the suggested extension.

i didn't mean window.top.opener

> document.getElementsByTagName('iframe') 
> [0].contentWindow.opener=self.opener;
Received on Tuesday, 20 March 2007 08:52:58 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:53 UTC