473,394 Members | 1,722 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > javascript > questions > javascript: protocol security violations

Join Bytes to post your question to a community of 473,394 software developers and data experts.

javascript: protocol security violations

Hi all,

I occasionally use the javascript protocol in window.open to retrieve a
window property of the opener for use as HTML source:

window.htmlSrc="<html>...blah ....<\/html>";
window.open("javascript:opener.htmlSrc", testWindow);

The technique was absolutely needed in NS4.xx to overcome reentrancy
problems with document.writing to generated windows, and has been useful
for testing and some cross browser DHTML work since.

Currently Opera 7.11 refuses to honor the protocol with a security
violation errror, Mozilla has been refusing to allow window reload from
the generated window for some time, and Moz 1.4 is generating
informative security warnings. Basically it looks like the javascript
protocol is about to become dead sooner rather than later.

Does anyone else consider this security error a result of simplistic
treatment of the javascript protocol when implimenting same domain policy?

Are there real security issues with the javascript protocol that are
additional to being able to execute window.open on somebody else's
domain sourced page in the first place?

Does anyone care or should we just let it die?
Personally I would prefer to see the javascript: protocol standardised
rather than discarded, but that much may be obvious! :)

Cheers,
Dom


Jul 20 '05 #1
1 3201
On Sun, 20 Jul 2003 12:03:58 +0930, Dom Leonard
<do*************@senet.andthis.com.au> wrote:
Basically it looks like the javascript
protocol is about to become dead sooner rather than later.
It was never really alive for doing this kind of stuff IMO.
Does anyone else consider this security error a result of simplistic
treatment of the javascript protocol when implimenting same domain policy?
Perhaps, but the problem is there have been hundreds of security holes
built around using javascript protocol, since there's no sane reason
for wanting to do it, it will be generally unreliable, and it will
remove some of the holes without having to think, it seems to make
sense that they've disabled it.
Personally I would prefer to see the javascript: protocol standardised
rather than discarded, but that much may be obvious! :)


Then take it to the IETF... You have as much right as anyone else. a
javascript uri scheme registration wouldn't appear to be tough to
write...

Jim.
--
comp.lang.javascript FAQ - http://jibbering.com/faq/

Jul 20 '05 #2
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
javascript:OpenChildWindow
by: Bateman27 | last post by:
Hi, don't know if this is the right place for this but wondered if anybody can help. When I try to open a picture on gettyimages, or a new chat window on MSN (either by clicking on the image, or on...
Javascript
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!