On Wed, 2016-11-30 at 02:33 -0800, Alice Wonder wrote:> https://github.com/whatwg/html/issues/2119
>
> Major flaw in how the specification for window.opener() works resulting
> in a major phishing vulnerability that is cake to pull off.
>
> The right solution isn't considered because it would break
compatibility
> with the few number sites that depend upon the broken specification even
> though it would be simple for those sites to implement a secure method.
>
> So instead the entire web is left with an extremely poor default and a
> crappy solution that won't be implemented by a large number of sites.
>
> And that's why the Internet will remain a playground for con artists
for
> years to come.
>
> I've lost faith in the W3C. It's useless, time for a fork and a new
> standards body. Seriously.
>
> BTW - the fix that W3C does endorse, the rel="noopener"
attribute, if
> that's the best the W3C is willing to do, Red Hat better make sure it
> makes it into the ESR version of FireFox they ship or it will be
> vulnerable for some time.
>
> The broken fix the W3C endorses isn't even set to make it into standard
> FireFox until FireFox 52. Which is odd because it is a serious security
> vulnerability. I'm worried it won't make it into ESR FireFox for
some
> time. ESR often lags on features.
Hi,
To answer the last paragraph. Firefox 52 ESR is scheduled for Q1 2017.
https://wiki.mozilla.org/RapidRelease/Calendar
Regards
Phil
--
Google+: https://goo.gl/CPjvNo
Blog: https://philwyett-hemi.blogspot.co.uk/
GitLab: https://gitlab.com/philwyett_hemi/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.centos.org/pipermail/centos/attachments/20161130/1a4fb7cf/attachment-0001.sig>