W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2008

[whatwg] A potential slight security enhancement to postMessage

From: Jeff Walden <jwalden+whatwg@MIT.EDU>
Date: Fri, 01 Feb 2008 23:25:19 -0500
Message-ID: <47A3F0AF.4050709@mit.edu>
Aaron Boodman wrote:
> Not necessarily. You could do something like this:
> window.createMessageReceiver("http://www.google.com")
>     .addEventListener("post-message", function() {
>   ...
> }, fase);
> Could probably come up with a better method name, and I forget the
> name of the event to use with PostMessage, but I hope you get the
> idea.

Ah, yes, hadn't given it enough thought to think of that idea.  Adding yet another object type to the HTML5 system seems suboptimal, but it would address the problem.  A whitespace-separated string of URIs (or prefixes?  or domains?  domains is least complicated but doesn't address protocol, and possibly not port) seems like a reasonable way to do it.

> If you tell people they have to read x property before y
> property, they will just do:
> // spec says we have to read this first
> var foo = event.domain;
> alert(event.message);

That'd be the fear, yes.  It depends to an extent on how the documentation's worded, which is the problem this is originally trying to avoid.

Received on Friday, 1 February 2008 20:25:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:39 UTC