[whatwg] postMessage's target origin argument can be a full URL in some implementations

On Thu, 15 Jul 2010 13:38:49 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote:

> On 7/15/10 3:40 AM, Simon Pieters wrote:
>> The simple way to pass in the current origin, per spec, is to use the
>> string "/".
>
> Sounds like yet another spec change?  Gecko certainly doesn't support  
> that, so it wasn't in the spec when we implemented...

http://html5.org/tools/web-apps-tracker?from=4719&to=4720

Do you think the special value "/" is a good enough replacement for  
location.href as the targetOrigin to remove the ability to pass in a path  
in Gecko?


>>> The alternative is that scripts will be parsing location.href
>>> themselves to extract the thing to pass as the origin string, which is
>>> just asking for security fail in my experience.
>>
>> Even without the special string "/", a simple enough way to construct
>> the origin is location.protocol+"//"+location.host.
>
> Thanks for an _excellent_ illustration of my point.
>
> Your code will happily pass in strings like "about://" for about:blank,  
> "jar://example.com" for "jar:http://example.com/!" (when the correct  
> origin is "http://example.com/", etc.  It's _exactly_ the sort of naive  
> "everything is http" URI parsing that will get you in trouble in edge  
> cases.

Yeah, true.

-- 
Simon Pieters
Opera Software

Received on Thursday, 15 July 2010 05:13:02 UTC