postMessage API and structured data

The postMessage API currently has no facility for passing structured  
data of any kind between documents. It does not require prophetic  
skills to predict that we'll soon see this API combined with JSON to  
get around this limitation, and that we'll see the dreaded eval used  
to parse the strings that are transmitted, causing another round of  
browser-based cross site vulnerabilities.

I would therefore propose that the HTML WG investigate extending  
postMessage in order to enable programmatically simple *and* safe  
passing of structured data.

Regards,
-- 
Thomas Roessler, W3C   <tlr@w3.org>

Received on Wednesday, 2 April 2008 10:15:10 UTC