On Mon, 1 Oct 2012, Glenn Maynard wrote: > On Mon, Oct 1, 2012 at 5:10 PM, Ian Hickson <i...@hixie.ch> wrote: > > > > > > + have the new page be in a new browsing context > > > > ...it's a new browsing context (e.g. target="_blank"). > > I'm not very familiar with the browsing context concept: what's the > practical security issue here?
I'm not aware of any particular security issues involved here. > (A good UI reason is "this is an expensive-to-load web app that's > typically used over a long term, so you rarely want to replace the tab > with links", eg. Gmail. Right, that's bascally the use case. See the top of my recent long e-mail on this thread. > The all-too-common bad reason is "we want people to keep pages open in > the user's browser for long as possible in the hopes that it'll make > them come back by accident, so we'll sprinkle target=_blank everywhere", > eg. amazon.co.jp makes *every search result* target=_blank.) This is > abused so constantly that I disable it with browser.link.open_newwindow > in FF. Presumably authors in such cases would not use rel=noreferrer; I don't see why they would want to. On Mon, 1 Oct 2012, Boris Zbarsky wrote: > > > > I'm happy to make the spec not match implementations, if the > > implementations are going to change to match the spec. :-) > > I certainly plan to change Gecko to make this stuff less lose there. > > But full disclosure: I have been thus planning for at least 3 years. I > don't know when I'll get to it. It's not a small change. :( Let me know when you've changed it, and I'll look into changing the spec again. Right now, I don't think it makes sense to go against the tide. :-) -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'