javascript: protocol security violations

Giganews Newsgroups
Subject: javascript: protocol security violations
Posted by:  Dom Leonard (doml.removethis@senet.andthis.com.au)
Date: Sun, 20 Jul 2003

Hi all,

I occasionally use the javascript protocol in window.open to retrieve a
window property of the opener for use as HTML source:

  window.htmlSrc="<html>...blah ....<\/html>";
  window.open("javascript:opener.htmlSrc", testWindow);

The technique was absolutely needed in NS4.xx to overcome reentrancy
problems with document.writing to generated windows, and has been useful
for testing and some cross browser DHTML work since.

Currently Opera 7.11 refuses to honor the protocol with a security
violation errror, Mozilla has been refusing to allow window reload from
the generated window for some time, and Moz 1.4 is generating
informative security warnings. Basically it looks like the javascript
protocol is about to become dead sooner rather than later.

Does anyone else consider this security error a result of simplistic
treatment of the javascript protocol when implimenting same domain policy?

Are there real security issues with the javascript protocol that are
additional to being able to execute window.open on somebody else's
domain sourced page in the first place?

Does anyone care or should we just let it die?

Personally I would prefer to see the javascript: protocol standardised
rather than discarded, but that much may be obvious! :)

Cheers,
Dom

Replies