- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 2 Apr 2008 12:14:34 +0200
- To: public-html-comments@w3.org
- Cc: Thomas Roessler <tlr@w3.org>
The postMessage API currently has no facility for passing structured data of any kind between documents. It does not require prophetic skills to predict that we'll soon see this API combined with JSON to get around this limitation, and that we'll see the dreaded eval used to parse the strings that are transmitted, causing another round of browser-based cross site vulnerabilities. I would therefore propose that the HTML WG investigate extending postMessage in order to enable programmatically simple *and* safe passing of structured data. Regards, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 2 April 2008 10:15:10 UTC