Re: [whatwg] Proposal for Links to Unrelated Browsing Contexts

On Thu, 14 Jun 2012 01:44:12 +0200, Michal Zalewski <lcamtuf@coredump.cx>  
wrote:

>> Any feedback on this revised approach?
>
> My vague concern is that the separation is a bit fuzzy, beyond saying
> that window.opener will be null... if that's the only guaranteed
> outcome, then maybe that should be spelled out more clearly?

rel=noreferrer already has this feature, FWIW.

http://www.whatwg.org/specs/web-apps/current-work/multipage/links.html#link-type-noreferrer

"This keyword also causes the opener attribute to remain null if the  
hyperlink creates a new browsing context."


> The
> degree of separation between browsing contexts is intuitive in the
> case of Chrome, given the underlying implementations, but will it be
> the same for Internet Explorer or Firefox or Safari?
>
> Let's assume that there is no Chrome-style process isolation, and that
> this is only implemented as not giving the target=_unrelated document
> the ability to traverse window.opener. If the document's opener lives
> in an already-named window (perhaps unwittingly), it won't be
> prevented from acquiring the handle via open('',
> '<name_of_that_window>'), right? That may be unexpected.
>
> The same goes the other way - the spec subtly implies that because
> window.open('foo', '_unrelated') returns null, the opener will not be
> able to mess with the opened window, but that's not guaranteed given
> that the reference may be leaked by other means, right?
>
> /mz


-- 
Simon Pieters
Opera Software

Received on Thursday, 14 June 2012 07:58:51 UTC