| Home | Forums | Reviews | Guides | Newsgroups | Register | Search |
 |
| Thread Tools |
|
Guest
Posts: n/a
|
Hi all,
I occasionally use the javascript protocol in window.open to retrieve a window property of the opener for use as HTML source: window.htmlSrc="<html>...blah ....<\/html>"; window.open("javascript  pener.htmlSrc", testWindow);The technique was absolutely needed in NS4.xx to overcome reentrancy problems with document.writing to generated windows, and has been useful for testing and some cross browser DHTML work since. Currently Opera 7.11 refuses to honor the protocol with a security violation errror, Mozilla has been refusing to allow window reload from the generated window for some time, and Moz 1.4 is generating informative security warnings. Basically it looks like the javascript protocol is about to become dead sooner rather than later. Does anyone else consider this security error a result of simplistic treatment of the javascript protocol when implimenting same domain policy? Are there real security issues with the javascript protocol that are additional to being able to execute window.open on somebody else's domain sourced page in the first place? Does anyone care or should we just let it die? Personally I would prefer to see the javascript: protocol standardised rather than discarded, but that much may be obvious!  Cheers, Dom |
|
|
|
|||
|
|
| |
|
Guest
Posts: n/a
|
On Sun, 20 Jul 2003 12:03:58 +0930, Dom Leonard
<> wrote: > Basically it looks like the javascript >protocol is about to become dead sooner rather than later. It was never really alive for doing this kind of stuff IMO. >Does anyone else consider this security error a result of simplistic >treatment of the javascript protocol when implimenting same domain policy? Perhaps, but the problem is there have been hundreds of security holes built around using javascript protocol, since there's no sane reason for wanting to do it, it will be generally unreliable, and it will remove some of the holes without having to think, it seems to make sense that they've disabled it. >Personally I would prefer to see the javascript: protocol standardised >rather than discarded, but that much may be obvious! Then take it to the IETF... You have as much right as anyone else. a javascript uri scheme registration wouldn't appear to be tough to write... Jim. -- comp.lang.javascript FAQ - http://jibbering.com/faq/ |
|
|
|
|
|||
|
|
| |
|
| Thread Tools | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Should I "EVER" get access violations? | James Hunter Ross | ASP .Net | 3 | 11-10-2005 06:46 PM |
| Handling class invariant violations | DaKoadMunky | C++ | 8 | 12-05-2004 08:53 PM |
| Report BI violations by DVD Verdict and Genre Online | FAQmeister | DVD Video | 56 | 06-22-2004 09:20 PM |
| Where to report copyright violations & Usenet spamming by Pbase users. | Lionel | Digital Photography | 0 | 05-24-2004 03:17 AM |
| Python 2.2 (ActiveState, build 224) and access violations/Dr Watson(long) | =?iso-8859-1?q?Lars_Bj=F8nnes?= | Python | 1 | 10-16-2003 12:24 AM |
