- From: Gareth Hay <gazhay@gmail.com>
- Date: Tue, 20 Mar 2007 16:30:43 +0000
> If the primary domain is www.example.com and the other domain is > help.example.com the UA clearly should allow them to communicate by > request. Believe me, nulling window.opener if origin check fails will > break MANY sites. This is not the point I am making, and I feel we are not understanding one another. I don't think I understand you, and you don't understand me. I have personally written many applications which use window.open windows, iframes, and such, and have *never* needed to 'spoof' the browser into re-assigning a window. The *potential* for security breach is if cross-domain scripting is allowed, after a user has left your site. If the UA nulls window.opener at that point, then it won't break anything. How many 3rd party websites are designed to run in a popup from another domain? As I said, the WebKit folks seem to think my idea of read-only was a good one. > Breaking *any* website is a problem. Yes, security is important. But > this is a problem with a clear and limited (ab)use case - mainly > webmails - and we can add a feature giving those relatively few > webmail sites some easy-to-use opt-in security. I disagree, Apache security fixes are rolled out, and the developer is expected to cope, PHP roll out security fixes, and the developer has to cope. If the problem here is that a webmail vendor will not adjust his code to work in a secure environment, then I am astounded. If this post really isn't about security, then I think you need to address the subject and actually detail what it is about.
Received on Tuesday, 20 March 2007 09:30:43 UTC