- From: Glenn Maynard <glenn@zewt.org>
- Date: Mon, 1 Oct 2012 18:52:23 -0500
- To: Ian Hickson <ian@hixie.ch>
- Cc: whatwg@whatwg.org
On Mon, Oct 1, 2012 at 5:10 PM, Ian Hickson <ian@hixie.ch> wrote: > > + have the new page be in a new browsing context > > ...it's a new browsing context (e.g. target="_blank"). > I'm not very familiar with the browsing context concept: what's the practical security issue here? It should never be necessary to open a new window to invoke security features, since in general opening new windows without a good UI reason is extremely rude. (A good UI reason is "this is an expensive-to-load web app that's typically used over a long term, so you rarely want to replace the tab with links", eg. Gmail. The all-too-common bad reason is "we want people to keep pages open in the user's browser for long as possible in the hopes that it'll make them come back by accident, so we'll sprinkle target=_blank everywhere", eg. amazon.co.jp makes *every search result* target=_blank.) This is abused so constantly that I disable it with browser.link.open_newwindow in FF. If there are security features that are only accessible with target=_blank, they should be accessible without the antisocial behavior of opening new windows/tabs that the user didn't ask for. (If there are security issues with opening links in the same tab in the first place, I'm interested in knowing what they are.) -- Glenn Maynard
Received on Monday, 1 October 2012 23:53:08 UTC