https://github.com/whatwg/html/issues/2119
Major flaw in how the specification for window.opener() works resulting
in a major phishing vulnerability that is cake to pull off.
The right solution isn't considered because it would break compatibility
with the few number sites that depend upon the broken specification even
though it would be simple for those sites to implement a secure method.
So instead the entire web is left with an extremely poor default and a
crappy solution that won't be implemented by a large number of sites.
And that's why the Internet will remain a playground for con artists for
years to come.
I've lost faith in the W3C. It's useless, time for a fork and a new
standards body. Seriously.
BTW - the fix that W3C does endorse, the rel="noopener" attribute, if
that's the best the W3C is willing to do, Red Hat better make sure it
makes it into the ESR version of FireFox they ship or it will be
vulnerable for some time.
The broken fix the W3C endorses isn't even set to make it into standard
FireFox until FireFox 52. Which is odd because it is a serious security
vulnerability. I'm worried it won't make it into ESR FireFox for some
time. ESR often lags on features.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
