[Javascript] Approved method of "bugging out"

Paul - Javascript list javascriptlist at dandemutande.org
Sun Aug 3 10:19:19 CDT 2003 

Dave,

I think the reason you're getting the "OK?" prompt when you close the
browser window is that you're closing the root-level parent window.  If you
create a child window in which to launch your application, then in my
experience window.close() closes it without asking.

And then, if you're operating in a child window, you might have greater
lattitude to wreak havoc with history etc. without worrying about tampering
with the user's legit settings back in the parent browser.

I like the fact that the child window can redirect the parent [as well as
change object values in the parent]. For example, if the user transgresses,
you can:

function jsCloseChildRedirectParent(argURL){
	window.opener.location=argURL;	// redirect parent
	window.opener.focus();		// bring parent window to the top
	window.close();			// close child
}

(I've had mixed results with window.opener.focus() and am not confident I'm
using it properly.  I threw that in in case the user's got several open
windows and the parent browser isn't second from the top.)

Paul



At 06:37 AM 8/3/2003 -0700, you wrote:
>
>  I am trying to harden a number of pre-existing pages by embedding a
script in the onLoad handler (or maybe even earlier in the process tree)
that will check the authentication info for the incoming user, and then
unconditionally blow the window/browser
>back out if the authorization is not validated.  The first part is easy,
and I've already got a handle on it.
>
>  The second part appears to be more troublesome, particularly with IE
browsers.  I've tried "self.window.close()" and a number of close analogs,
and in every case it brings up a nice little window saying "the process
wants to close the window, is this
>OK?"  Of course, a cracker will say "no", and continue happily raping the
application.  I
>want the equivalent of dynamite for the fishpond, that will abort the
browser altogether without any dialogue, thereby ensuring that no passive
authentication threads remain active and that no history can lead back to
the page(s) in question.
>
>  Yes, I know how to nuke the history list.  However, I don't like to do
this out-of-hand, since the user may have legitimate URLs stacked up in it
which should be preserved.  Also, I can simply redirect the
window.location.href to somewhere innocuous,
>but that still leaves the initial authentication thread active, and can be
"backed" by the history list.  No, only unconditional dynamite will serve.
>
>  Anybody have any ideas?  I need to get this script bundle out the door
ASAP for a product demo at the end of this upcoming week.
>
>-- Dave Lovering
>_______________________________________________
>Javascript mailing list
>Javascript at LaTech.edu
>https://lists.LaTech.edu/mailman/listinfo/javascript
>

More information about the Javascript mailing list