Comments on: What’s in a window.name?

By: tourque3000

tourque3000 — Wed, 23 Mar 2011 05:45:34 +0000

The interesting thing to note about window.name is that it:

1) Persists within across page refreshes, and
2) is specific to a tab

This allows us to provide tab-specific information while using a site. Without this hook it becomes quite difficult for a user to have multiple tabs open into the same site under the same session and have them not interfere with each other. Some web frameworks specifically address this issue, but are quite heavy and do so by adding information to all internal links, however this breaks when a user right-clicks and opens a new tab on a link.

By: newz2000

newz2000 — Wed, 14 May 2008 15:01:20 +0000

Is this a security vulnerability (or information leakage)? It seems to me to be merely a way for consenting pages to pass information.

By: paftek

paftek — Wed, 14 May 2008 09:10:00 +0000

@KevinWeibell: +1
Andrea Giammarchi blogged about this more than one year ago…

By: Jordan

Jordan — Wed, 14 May 2008 03:25:55 +0000

There are some obvious problems to this:

1) If the user opens a page in another tab, the window name is lost.

2) If a script on the page, maybe an advertisement script or what not, creates a global variable with the name “name”, it will override the window.name variable.

By: ibolmo

ibolmo — Wed, 14 May 2008 00:08:17 +0000

I’m still surprised by the security threats that everyone is afraid of. It’s only an issue if someone uses window.name. Don’t make the world spin on a dime, when there’s bigger issues out there.

By: arapehl

arapehl — Tue, 13 May 2008 19:00:07 +0000

The fact that other sites could read the data without difficulty is a major issue and could keep this from ever really being used as a cookie replacement.

It could however be used as a state manager for Ajax/Flash apps that track movements throughout an app by storing the current state in an iframe/url hash combination (re: YUI History Manager).

By: JeromeLapointe

JeromeLapointe — Tue, 13 May 2008 18:18:42 +0000

A little hackish but it’s a pretty clever idea! Good example of “thinking outside the box”.

By: KevinWeibell

KevinWeibell — Tue, 13 May 2008 17:22:33 +0000

Don't want to spoil all the fun... but this is not that new of a thing. Check out Andrea Giammarchi's JSTONE and Web RAM. Cheers

By: timwhunt

timwhunt — Tue, 13 May 2008 16:49:02 +0000

This is really useful, thanks for pointing it out!! However, I almost missed it because the title of the post was “clever” rather than informative.

By: Jamie

Jamie — Tue, 13 May 2008 16:24:44 +0000

how long before this security hole is plugged in all real browsers though?

By: PaulIrish

PaulIrish — Tue, 13 May 2008 16:01:21 +0000

Picked this up from Leslie Orchard’s del.icio.us a few days ago. Can’t believe it hadn’t surfaced before now!

This is huge.

Not to mention the ability it affords us in cross-domain messaging without iframe hacks or anything.