- From: Adam Barth <hk9565@gmail.com>
- Date: Sat, 9 Feb 2008 01:05:44 -0800
On Feb 7, 2008 4:32 AM, Hallvord R M Steen <hallvors at gmail.com> wrote: > One case I'm still > somewhat concerned about is that one is allowed to set the location of > any top-level window according to the ancestor policy, Yes. I think there is a lot of room for improvement in this part of the navigation policy. The idea behind permitting the navigation of top-level windows is that browsers display the location of these windows in the location bar, but a user might not notice that the location bar has changed if the top-level window is navigated at an unexpected time. Firefox's implementation of the ancestor policy restricts the navigation of top-level windows based on openers (but only when navigating by name). As you know, Opera restricts the navigation of top-level windows based on a number of factors, including whether the window is displaying an HTTPS page and the destination of the navigation. > For example, consider > > w=window.open(); > w.opener = null; > w.location = 'http://untrusted.example.org' > w.postMessage( '...' ); > > Untrusted content now gets a window reference it would not otherwise > have, and will be allowed to set location if this scripts runs in the > top context of the opener. This is an interesting case because some web sites, for example Gmail, attempt to restrict which sites can navigate their frames by nulling the window.opener property of windows they creates. This technique is only partially effective because 1) Safari restores the opener property after navigation, <http://bugs.webkit.org/show_bug.cgi?id=17111>. 2) Gmail, in particular, doesn't clear the window.name property of its window. That means a malicious web site can navigate the Gmail window if it happens to have a name. It seems like a better solution is to improve the navigation policy for top-level windows. That way, web sites don't have to fight the losing battle of controlling references to their windows. One possibility is to prevent one frame from navigating another if the frames are in different units of related browsing contexts. This is consistent with HTML5's philosophy that different units of related browsing contexts could be run in different threads and do not interact directly. That way, if a user visits a web site by first creating a new tab, the existing frames cannot navigate the new site's frame. In addition, we could define a new target, for example "_unrelated", such that calling window.open(url, "_unrelated") would open the URL in a new unit of related browsing contexts. Under the proposed policy, the newly opened window would be unable to navigate its opener. (Of course, window.open would need to return null and the newly opened window's window.opener property would need to be null.) This would be a useful mechanism for applications like webmail that wish to open windows but do not wish to be associated with the content they open. Adam
Received on Saturday, 9 February 2008 01:05:44 UTC