window.opener and security - an unfixable problem?
Wednesday, March 14, 2007 3:46:53 PM
This opens up some security worries. Ideally, we would like to prevent cross-domain opener.location setting (for example, an abuse case might be clicking a link in an E-mail that opens in a popup and navigates the main window away from your mailbox to a page you would rather not visit..) but I guess that we would see considerable breakage on the Web if we tried that.
We have tried to let sites sort of "opt-out" from having window.opener defined in the popup window by not setting the window.opener property if the popup was created by clicking a link with target="_blank". That way, your webmail could simply give external links a _blank target attribute and protect the inbox from malicious navigation changes.
Enter KfW Förderbank.. Load page and click "Abschicken" at the bottom. Try the link in the popup. Nothing happens because that functionality depends on "window.opener" being set after submitting a target=_blank form.
Perhaps this problem isn't fixable at all? Or perhaps we should ask the Web API guys to enhance window.open with a new argument that will create a popup without window.opener?
[Edit: trying to "bump" post since there are no comments yet, changing date ..]