postMessage API and structured data from Thomas Roessler on 2008-04-02 (public-html-comments@w3.org from April 2008)

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 2 Apr 2008 12:14:34 +0200
To: public-html-comments@w3.org
Cc: Thomas Roessler <tlr@w3.org>
Message-Id: <EC7EA308-C99D-4B16-85A8-EC3D1D1F07AC@w3.org>

The postMessage API currently has no facility for passing structured  
data of any kind between documents. It does not require prophetic  
skills to predict that we'll soon see this API combined with JSON to  
get around this limitation, and that we'll see the dreaded eval used  
to parse the strings that are transmitted, causing another round of  
browser-based cross site vulnerabilities.

I would therefore propose that the HTML WG investigate extending  
postMessage in order to enable programmatically simple *and* safe  
passing of structured data.

Regards,
-- 
Thomas Roessler, W3C   <tlr@w3.org>

Received on Wednesday, 2 April 2008 10:15:10 UTC