W3C home > Mailing lists > Public > public-html@w3.org > July 2009

Re: postMessage: origin serialized too early

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 10 Jul 2009 23:29:18 +0000 (UTC)
To: Thomas Roessler <tlr@w3.org>
Cc: public-html@w3.org
Message-ID: <Pine.LNX.4.62.0907102324580.23663@hixie.dreamhostps.com>
On Sun, 14 Jun 2009, Thomas Roessler wrote:
> > > 
> > > In HTML5, section 8.2.3, point 5, mandates that the origin attribute 
> > > of a MessageEvent event must be set to the unicode serialization of 
> > > the origin of the script that invoked postMessage.  That implies 
> > > that an opaque origin is serialized to the string "null" here.
> > > 
> > > As a consequence, when the event is handled, it is *not* possible to 
> > > set the targetOrigin parameter of a possible response message to a 
> > > value that would bind it to the original message's sender, if that 
> > > sender has an opaque origin.
> > > 
> > > Remedy: the origin attribute of an event of type MessageEvent ought 
> > > to behave like a proper origin, even if it is an opaque one; i.e., 
> > > be comparable to other opaque origins in the same-origin check, and 
> > > serialize to "null". Serialization should not occur when the 
> > > attribute is constructed.
> > 
> > This would require constructing an opaque JS object that represents an 
> > origin. This has never been exposed before. Do we really want to do 
> > this? What is the use case? The only cases on the Web where this can 
> > happen seem to be cases like data: URIs generating custom 
> > subdocuments, but that seems like a very strange edge case. In such 
> > cases, scripts can just communicate directly anyway.
> Communicating out of (and back into) sandboxed iframes comes to mind as 
> the other use case, besides the widget work.

For that case, just send a MessagePort with your first message, and then 
use MessagePort communication instead of window.postMessage().

> > I think it would make more sense to wait until we have a clear need to 
> > do this before adding this feature. We can always retrofit it by 
> > making the objects serialise to a string.
> So, what's the downside to serializing opaque origins into long random 
> numbers that can in turn be compared to them?

I don't know that I have a good reasoned downside. It strikes me as, well, 
ugly, though. It also seems like the kind of thing that would lead to 
problems later, though I don't have rational reason for this impression.

> (Or, put differently, what - besides CORS and the Origin proposal - is 
> the use case for serializing opaque origins into "null" throughout 
> HTML5?)

It's not a feature; there's no use case for it. It's just that we have to 
serialise to something to keep everything well-defined.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 10 July 2009 23:29:54 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 9 October 2021 18:44:51 UTC