W3C home > Mailing lists > Public > public-html@w3.org > May 2009

postMessage: origin serialized too early

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 27 May 2009 13:55:07 +0200
Message-Id: <9E117868-941D-4259-AD42-BAEEAB7203DC@w3.org>
To: public-html@w3.org
Background:
   http://krijnhoetmer.nl/irc-logs/webapps/20090527

In HTML5, section 8.2.3, point 5, mandates that the origin attribute  
of a MessageEvent event must be set to the unicode serialization of  
the origin of the script that invoked postMessage.  That implies that  
an opaque origin is serialized to the string "null" here.

As a consequence, when the event is handled, it is *not* possible to  
set the targetOrigin parameter of a possible response message to a  
value that would bind it to the original message's sender, if that  
sender has an opaque origin.

Remedy: the origin attribute of an event of type MessageEvent ought to  
behave like a proper origin, even if it is an opaque one; i.e., be  
comparable to other opaque origins in the same-origin check, and  
serialize to "null".  Serialization should not occur when the  
attribute is constructed.

Thanks,
--
Thomas Roessler, W3C  <tlr@w3.org>
Received on Wednesday, 27 May 2009 11:55:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:03 UTC