On Wed, 2016-11-30 at 02:33 -0800, Alice Wonder wrote: > https://github.com/whatwg/html/issues/2119 > > Major flaw in how the specification for window.opener() works resulting > in a major phishing vulnerability that is cake to pull off. > > The right solution isn't considered because it would break compatibility > with the few number sites that depend upon the broken specification even > though it would be simple for those sites to implement a secure method. > > So instead the entire web is left with an extremely poor default and a > crappy solution that won't be implemented by a large number of sites. > > And that's why the Internet will remain a playground for con artists for > years to come. > > I've lost faith in the W3C. It's useless, time for a fork and a new > standards body. Seriously. > > BTW - the fix that W3C does endorse, the rel="noopener" attribute, if > that's the best the W3C is willing to do, Red Hat better make sure it > makes it into the ESR version of FireFox they ship or it will be > vulnerable for some time. > > The broken fix the W3C endorses isn't even set to make it into standard > FireFox until FireFox 52. Which is odd because it is a serious security > vulnerability. I'm worried it won't make it into ESR FireFox for some > time. ESR often lags on features. Hi, To answer the last paragraph. Firefox 52 ESR is scheduled for Q1 2017. https://wiki.mozilla.org/RapidRelease/Calendar Regards Phil -- Google+: https://goo.gl/CPjvNo Blog: https://philwyett-hemi.blogspot.co.uk/ GitLab: https://gitlab.com/philwyett_hemi/
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos
