W3C home > Mailing lists > Public > public-html-comments@w3.org > April 2008

postMessage API and structured data

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 2 Apr 2008 12:14:34 +0200
Message-Id: <EC7EA308-C99D-4B16-85A8-EC3D1D1F07AC@w3.org>
To: public-html-comments@w3.org
Cc: Thomas Roessler <tlr@w3.org>

The postMessage API currently has no facility for passing structured  
data of any kind between documents. It does not require prophetic  
skills to predict that we'll soon see this API combined with JSON to  
get around this limitation, and that we'll see the dreaded eval used  
to parse the strings that are transmitted, causing another round of  
browser-based cross site vulnerabilities.

I would therefore propose that the HTML WG investigate extending  
postMessage in order to enable programmatically simple *and* safe  
passing of structured data.

Regards,
-- 
Thomas Roessler, W3C   <tlr@w3.org>
Received on Wednesday, 2 April 2008 10:15:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 1 June 2011 00:13:58 GMT