W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2016

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

From: Domenic Denicola <d@domenic.me>
Date: Fri, 2 Dec 2016 01:48:41 +0000
To: Zac Spitzer <zac.spitzer@gmail.com>
Message-ID: <CY1PR0501MB1369CCCEA2196B4047A93AF1DF8E0@CY1PR0501MB1369.namprd05.prod.outlook.com>
Cc: "whatwg@whatwg.org" <whatwg@whatwg.org>, Ian Hickson <ian@hixie.ch>, "Michael A. Peters" <mpeters@domblogger.net> 
From: Zac Spitzer [mailto:zac.spitzer@gmail.com] 

> how about rather than requiring this on every <a> why not support a base tag directive  for the whole document i.e. <base rel="noopener">, similar to <base target="_blank">?

Yes, this is a good idea to include in a general framework for imposing such self-restrictions on your page, such as CSP: https://github.com/w3c/webappsec/issues/139.
Received on Friday, 2 December 2016 01:49:15 UTC

This archive was generated by hypermail 2.3.1 : Friday, 2 December 2016 01:49:16 UTC