W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2015

Re: [whatwg] Clarification for window.opener.location.href

From: Nicholas C. Zakas <standards@nczconsulting.com>
Date: Wed, 07 Jan 2015 12:55:56 -0800
Message-ID: <54AD9D5C.6020709@nczconsulting.com>
To: whatwg@lists.whatwg.org
Yeah, that works well if you're dealing with bleeding-edge browsers 
only. Not so much elsewhere. :-/ Unfortunately, this isn't a case where 
progressive enhancement is a suitable approach to dealing with such a 
security issue.


On 1/6/2015 12:16 PM, Boris Zbarsky wrote:
> On 1/6/15 3:10 PM, Nicholas C. Zakas wrote:
>> Yes, if we do it with window.open(), then it's possible to set opener to
>> null. However, if you click on a link with target=_blank, window.opener
>> is set as well.
> Not if you use rel="nofollow", per spec.  Browser support there is 
> still spotty but improving.
> Of course that affects more than just window.opener (e.g. affects 
> whether a referrer is sent)....
> -Boris

Nicholas C. Zakas
Received on Wednesday, 7 January 2015 20:56:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:32 UTC