miscoded

If you know some JavaScript, you'll know that window.opener exists in popups created with window.open() to allow JavaScript in the popup to communicate with its opener window. You might not be aware that this property is also created for popups caused by target=_blank links and forms, but IE and Firefox do this. Popup -> opener communication is generally subject to the normal cross-domain limitations, so that a page from another domain can't for example change the DOM of the opener. However, it *is* allowed to change the address of the opener window by setting window.location, even cross-domain !

This opens up some security worries. Ideally, we would like to prevent cross-domain opener.location setting (for example, an abuse case might be clicking a link in an E-mail that opens in a popup and navigates the main window away from your mailbox to a page you would rather not visit..) but I guess that we would see considerable breakage on the Web if we tried that.

We have tried to let sites sort of "opt-out" from having window.opener defined in the popup window by not setting the window.opener property if the popup was created by clicking a link with target="_blank". That way, your webmail could simply give external links a _blank target attribute and protect the inbox from malicious navigation changes.

Enter KfW Förderbank.. Load page and click "Abschicken" at the bottom. Try the link in the popup. Nothing happens because that functionality depends on "window.opener" being set after submitting a target=_blank form.

Perhaps this problem isn't fixable at all? Or perhaps we should ask the Web API guys to enhance window.open with a new argument that will create a popup without window.opener?

[Edit: trying to "bump" post since there are no comments yet, changing date ..]