- From: Mike West <mkwst@google.com>
- Date: Mon, 11 May 2015 16:13:19 +0200
- To: Chris Coyier <chriscoyier@gmail.com>
- Cc: WHAT Working Group Mailing List <whatwg@whatwg.org>, Alex Russell <slightlyoff@google.com>, Jim Manico <jim.manico@owasp.org>, Ian Hickson <ian@hixie.ch>, David Bruant <bruant.d@gmail.com>
On Mon, May 11, 2015 at 4:02 PM, Chris Coyier <chriscoyier@gmail.com> wrote: > I'd think popups would be killed by default and allow-popups would allow > them. Or if you need a new value, allow-obnoxious-things could work ;) > I would prefer to simply remove the functionality. :) If we do decide that we need `alert()` and friends, I would suggest that `allow-popups` is the wrong flag to use. The advertising use case I noted at the top pretty much requires `window.open`/`target="_blank"` to work correctly. If those only work when `alert()` is enabled, then we wouldn't solve the issue. > Like navigator.geolocation (so we regex and strip it). > I think permissions for iframes in general are a separate question, but an important one to deal with. > The worst offender: linking to things that are .htpasswd protected and it > pops up that authentication modal. > I wouldn't be terribly averse to dropping support for that inside a sandbox. Especially a sandbox without `allow-same-origin`. -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 11 May 2015 14:14:04 UTC