If the primary domain is www.example.com and the other domain is
help.example.com the UA clearly should allow them to communicate by
request. Believe me, nulling window.opener if origin check fails will
break MANY sites.
This is not the point I am making, and I feel we are not
understanding one another.
I don't think I understand you, and you don't understand me.
I have personally written many applications which use window.open
windows, iframes, and such, and have *never* needed to 'spoof' the
browser into re-assigning a window.
The *potential* for security breach is if cross-domain scripting is
allowed, after a user has left your site.
If the UA nulls window.opener at that point, then it won't break
anything.
How many 3rd party websites are designed to run in a popup from
another domain?
As I said, the WebKit folks seem to think my idea of read-only was a
good one.
Breaking *any* website is a problem. Yes, security is important. But
this is a problem with a clear and limited (ab)use case - mainly
webmails - and we can add a feature giving those relatively few
webmail sites some easy-to-use opt-in security.
I disagree, Apache security fixes are rolled out, and the developer
is expected to cope, PHP roll out security fixes, and the developer
has to cope.
If the problem here is that a webmail vendor will not adjust his code
to work in a secure environment, then I am astounded.
If this post really isn't about security, then I think you need to
address the subject and actually detail what it is about.
