[whatwg] window.opener and security

I was clearly mislead by the "window.opener and security" title then

On 20 Mar 2007, at 15:51, liorean wrote:

> On 20/03/07, Gareth Hay <gazhay at gmail.com> wrote:
>> As was clearly stated, I showed a workaround and then suggested it
>> should be up to the UA to handle this situation.
>> It is not helpful to deliberately misunderstand points, and quote
>> them out of context. I suggest you re-read my mail.
>
> You showed a workaround for a different problem than that which
> Hallvord initially tried to solve.
>
> The original problem is that browsers allow cross domain setting of
> windowobject.location. Whether windowobject in this case comes from
> window.opener isn't really relevant, except that it provides a method
> of getting a windowobject reference.
>
> Hallvord's solution is a workaround - it addresses the ability to get
> that windowobject reference, even though it doesn't address the core
> problem.
>
> On 20/03/07, Gareth Hay <gazhay at gmail.com> wrote:
>> 1) Either it is your responsibility to handle the nulling of the
>> property *or*
>> 2) It is the UA's.
>>
>> I personally think the UA should handle it (as stated previously)
>> **BUT** if they do not, you *ARE* responsible for programming
>> correctly and using an unload to null the property when someone
>> navigates away.
>
> I do agree about the responsibility side here. It's just doesn't
> address the core problem at all.
>
>> **AND** you seem to want this extension to cure a problem, that is
>> also cured by window.opener.opener
>
> No. He just gave a counterexample to your suggestion, a use case your
> solution would have broken. It wasn't relevant for his original
> proposal.
>
>
>
> Some thing I would like to add here, is that your "solution" doesn't
> do anything to solve the actual l problem case. Even if window.opener
> would be read only, that is just a reference to a window object. Even
> if that property would be read only you could still write to the
> location property of the window object it references. For your
> solution to work the read only attribute would have to cascade to all
> properties, something defying the nature of JavaScript.
>
> A much better solution, in my opinion, would be to make the location
> object safe from cross domain attacks by making it only writable from
> same domain, or if the document does not have a domain yet.
> (window.open without address) I do think this would break some sites,
> however.
>
> Hallvord's solution of allowing sites to disable the window.opener
> property and thereby preventing the writing to window.opener.location
> does solve the problem for that particular window object, as an opt-in
> security measure. The main problem I see with this approach is that if
> people aren't nulling the window.opener property already I don't think
> they would opt in for another alternative method of doing it. Actually
> fixing cross domain writing to the location object would.
> -- 
> David "liorean" Andersson

Received on Tuesday, 20 March 2007 08:58:32 UTC