https://www.w3.org/TR/html-design-principles/#priority-of-constituencies
3.2. Priority of Constituencies
In case of conflict, consider users over authors over implementors over
specifiers over theoretical purity. In other words costs or difficulties
to the user should be given more weight than costs to authors; which in
turn should be given more weight than costs to implementors; which
should be given more weight than costs to authors of the spec itself,
which should be given more weight than those proposing changes for
theoretical reasons alone. Of course, it is preferred to make things
better for multiple constituencies at once.
3.3. Secure By Design
Ensure that features work with the security model of the web.
Preferrably address security considerations directly in the specification.
Communicating between documents from different sites is useful, but an
unrestricted version could put user data at risk. Cross-document
messaging is designed to allow this without violating security constraints.
-=-=-=-=-=-=-=-
Right now the specification for window.opener() is seriously insecure,
allowing for cross-domain script access by default.
WhatWG refuses to properly address the issue.
The reason they refuse to properly address the issue is because it would
break OAuth.
Yup - an alleged security tool requires an insecure Internet. That's the
most insane logic I have ever heard but that's what the issue is.
The proposed fix - rel="noopener" - is insufficient, it is difficult to
consistently deploy and there are thousands upon thousands of archived
web pages that won't have that attribute added.
It is unrealistic to expect the end user to be aware of the issue, the
end user will be vulnerable to phishing and other attacks made possible
via window.opener() if the browsers do not protect them, but the
browsers will not protect them unless the specification calls for it,
and the specification will not call for it because the same companies
that are heavily invested in OAuth run the WhatWG.
There is a serious conflict of interest and it is resulting in a web
that does not put the user first, or the security of the user first, but
instead is putting first a protocol that has had repeated serious
security flaws and is broken by design.
If the WhatWG can't put the security of Internet users first, then it
needs to be disbanded and replaced by a working group that will put the
security of the users first.
