Hacker News new | comments | ask | show | jobs | submit login

They ever heard of "security by default"? I guess no.

In the early to mid '90s, threat models on the web were quite a bit different from now.

I was implying "make it a default for everyone, now"

Right, but now you have 20 years worth of content which depends on the current behavior....

On this particular behavior unlikely

What makes you think this is unlikely? On the contrary, I think it's _very_ likely there are things depending on it. I don't expect there to be a huge number of them, but I also expect them to disproportionately be in things like intranet deployments where it's hard to even get measurements. :(

A link with _blank + expected to change/interact with opener? Maybe there's a few, but most cross domain transports would use window.open() manually.

Well, window.open() obviously has the same problem, with the same solution being proposed: the caller of window.open opts in to not allow the thing being opened to interact with it.

We could have different default behaviors for the two cases, of course: opt-in for links and opt-out for window.open.

But I still suspect that even just the link case is not as uncommon as one might wish. Happy to see data proving me wrong, though!

Security is hard, especially if your opponent is more clever than you. For example, the internet years later.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact