Hacker News new | ask | show | jobs
by kijin 3066 days ago
Lots of existing apps, including some that handle payment information, rely on window.opener to provide a seamless experience when using pop-ups or iframes from a different domain.

In an ideal world, these apps would have been rewritten a long time ago using more modern techniques. In reality, browsers bend over backwards to maintain backward compatibility with existing apps.
4 comments
metafunctor 3066 days ago
I remember this very thing being discussed years ago.

Since this is still a problem, I'd say the web needs a way to gracefully migrate away from bad decisions like window.opener being available across origins.

Should we not decide that cross-origin window.opener is now deprecated, show big fat warnings on the developer console when it's used, and remove it in a year or two? I'd like an option to completely turn it off on my browser. Like third-party cookies, cross-origin access to just about anything is a bad idea.

link
discreditable 3065 days ago
> Should we not decide that cross-origin window.opener is now deprecated, show big fat warnings on the developer console when it's used, and remove it in a year or two?

That does nothing for deployed sites that aren't actively developed? Browser devs have decided those sites are worth not breaking.

link
metafunctor 3061 days ago
Browsers should show a warning that a "possibly insecure legacy mode" is in use.

If browsers enforce HTTPS in a similar way, I don't see why they shouldn't enforce better security elsewhere as well.

link
beaconstudios 3065 days ago
in semantic versioning terms, we need a "2.x" of the HTML API. We'd need to break backwards compatibility across the board and have sites opt in to use v2 using some kind of flag. The benefits would be massive but it would also require browsers to essentially have 2 different engines to support both legacy and v2 websites.
link
Forge36 3065 days ago
Internet Explorer tried to maintain multiple rendering engines. Every version from IE5 to IE11 (if you open the debug console you can switch rendering modes) And now they have Edge. It never took off.

I suspect the cost of breaking web compatibility intentionally to accomplish this goal would kill a browser, as authentication, payment, and many other things would suddenly break.

link
beaconstudios 3065 days ago
this is why I say it would have to be opt-in through something like a header or tag on the page in question (although I don't think doctype would work well for this). Existing sites would use the current engine and sites that explicitly stated they were for the new engine would be handled differently.
link
manigandham 3065 days ago
That's exactly what IE did with the `X-UA-Compatible` meta tag. It's just more work for both browsers and websites to manage, which is why it's not used anymore.

https://msdn.microsoft.com/en-us/library/jj676915(v=vs.85).a...

link
kijin 3065 days ago
Content-Security-Policy might be a good way to opt in to this kind of behavior.
link
lioeters 3065 days ago
How about a Babel-like transpiler, that would take HTML written in this newly proposed standard and outputs backward-compatible code? For example, adding rel="noopener" by default to external links.
link
core-questions 3065 days ago
This could work, but ultimately it's just more and more duct tape. It's high time to start with a cleaner, more secure slate and let people migrate maintained applications over; the old stuff can run in a more secured, more limited sandbox.
link
IncRnd 3065 days ago
> in semantic versioning terms, we need a "2.x" of the HTML API.

Version # is not the phrase you want to overload. HTML5 is the latest version and was released 4 years ago.

link
beaconstudios 3063 days ago
I'm not suggesting overloading it - just trying to come up with a fitting metaphor.
link
stephenr 3065 days ago
HTML 2.0 was published in 1995.

I doubt this behaviour comes purely under html anyway as its only usable from the javascript environment.

More likely is a content security policy... oh looke there: https://w3c.github.io/webappsec-csp/#directive-disown-opener

link
beaconstudios 3065 days ago
I'm aware of that - the existing HTML versions have been pretty much incremental though. XHTML was a breaking change but more for syntactical reasons. By a "2.x" version I mean a fresh rewrite with no requirements for parity with previous versions, so the lessons of the current engine can be applied in a clean-slate environment.
link
stephenr 3065 days ago
i feel like there must be an xkcd that sums up your suggestion...
link
illustrioussuit 3065 days ago
https://xkcd.com/927/

Or mobile: https://m.xkcd.com/927/

link
chatmasta 3065 days ago
Seems like the simple solution would be for those apps to include something like “rel=yesopener” on the link to the payment provider, as a way to explicitly opt into the functionality.

Browsers deprecate security related features all the time. See SSL, HSTS [EDIT: HPKP*], etc.

At the very least, browsers could remain backward compatible but mark the URI as “Insecure” in the address bar if the link could result in tab hijacking. Although on second thought, that would be challenging because it would require parsing the source of all links.

link
Klathmon 3065 days ago
HSTS is not deprecated, HPKP is.

HSTS is what tells the browser "this website MUST be served over TLS".

HPKP is what tells the browser "this website must be served over TLS with this exact key".

HPKP is being deprecated due to the large "footgun" it creates for websites, and the difficulty at actually managing it. It's being replaced by "Expect-CT" which is a much easier and safer way of getting a similar result.

link
tialaramex 3065 days ago
As well as a footgun, HPKP (and any similar pinning technology) unavoidably creates opportunities to take sites hostage. If the current owner of site X can say "Only trust this site if key K is involved in the trust chain" then if bad guys are able to take over the site even briefly, and say "Only trust this site if key J is involved" instead, they can sell you key J for however much you value your site. Without it, nobody in the world can "get back" your site in reasonable time, no court order, no service provider, nothing else will work. They can even choose to do this, then destroy key J, now your site is bricked and nobody can fix that.

Expect-CT is very different, I'm not sure "similar result" is the right phrase. HPKP lets you pin to any set of keys, a reasonable choice might be your current key, a spare key that your DevOps have ready to go, and one more that's printed out on a piece of paper in the company safe labelled "important: Web site private key, never lose this".

Expect-CT is like Python's from future import, in the future we expect the Web PKI to use Certificate Transparency logging policy to ensure oversight over all CAs. Expect-CT lets you demand enforcement of such policy today, to the extent that's possible. Today policy is still in a state of flux, so enforcing it might not do what you expect, whereas HPKP was very predictable. On the other hand, it's definitely not subject to hostage taking, and it's probably less susceptible to footguns, so that's nice. And if the future does come to pass as expected it's future proof, since such a policy will become de facto the normal behaviour of common user agents.

[Edited to make more sense]

link
supergreg 3065 days ago
Just warn them that at some point in time the feature will cease to work. I see these warnings in the console all the time for broken SSL CAs and deprecated DOM APIs.
link
iforgotpassword 3065 days ago
According to https://jakearchibald.com/2016/performance-benefits-of-rel-n... edge doesn't set window.opener for blank links so I'd assume it's not being used that much. I mean, it's Microsoft, they usually go out of their way to be backwards compatible.
link