Summary: | Should allow cross-origin navigation of top-level openers | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Steen Nielsen <steen> | ||||
Component: | JavaScriptCore | Assignee: | Sam Weinig <sam> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Major | CC: | abarth, sam | ||||
Priority: | P2 | Keywords: | InRadar, NeedsReduction | ||||
Version: | 528+ (Nightly build) | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
URL: | http://msdesign.dk/oes/filer/_test.htm | ||||||
Attachments: |
|
Description
Steen Nielsen
2009-07-06 07:37:54 PDT
Adam, do you have any thoughts on allowing a popup to navigate its opener, even if they are of different origins? It sounds like the opener restriction is preventing the navigation (because example2.com is not the opener of example1.com). In general, it's hard to state a threat model in which the opener restriction buys you much security. It seems fine to allow this case, especially if that makes us more compatible with Firefox 3.5. It seems similar to allowing frame-busting (just popups instead of iframes). Created attachment 40030 [details]
patch
Comment on attachment 40030 [details]
patch
Precisely.
|