Comment #5 on issue 18396 by berendjanwever: about:blank tabs via window.open should display origin in the address bar http://code.google.com/p/chromium/issues/detail?id=18396
@madeleine.pultier: (regarding your second point) AFAIK the about:blank page is treated as being in the same origin as its creator and all cross-origin checks apply. That means the about:blank page has the same access rights as the page that created it, so any communication between http and https would not need this "trick". If I am mistaken and you know of a way to bypass cross-origin checks in Chrome please show me how: I cannot reproduce this. Also, any ssl page can "give" data to any other page in a number of ways: eg. by creating a FORM that POSTs the data to any other site. I assume you meant to say that an http page can "take" data from an https page. That would be considered a cross- origin problem but, as I mentioned, I cannot reproduce this with the given example. @lcamtuf/mal: don't forget to include all origin information (protocol, port). Would we open up a can of IDN-spoofing? How would we treat (bad) https connections? Do we color the address bar similar to the opener page? -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings --~--~---------~--~----~------------~-------~--~----~ Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs -~----------~----~----~----~------~----~------~--~---
