W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2008

[whatwg] IE Team Feedback on HTML 5.0 Cross Document Messaging

From: Jeff Walden <jwalden+whatwg@MIT.EDU>
Date: Fri, 04 Apr 2008 13:54:55 -0400
Message-ID: <47F66B6F.4030406@mit.edu>
Sunava Dutta wrote:
> ?        The language in http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html overpromises the security of this feature and we recommend a revision. The current language implies that cross site scripting attacks are not possible. This is not correct since a developer can receive script from a postmessage and run it in the DOM.

I don't really think it's an overpromise, but there's nothing wrong with paranoia (I've already clearly indicted myself with <http://developer.mozilla.org/en/docs/DOM:window.postMessage> :-) ).  I wouldn't add it myself, but if people are more comfortable with it than with the current wording, no complaints here.

> ?        We?re glad to see the e.URI gone. It exposed too much potentially dangerous information.

No complaints there, once I read the rationale behind the change.

> ?       For the postMessage (message, origin) method we would recommend the parameter be called postMessage(message, targetOrigin) since it?s easier to understand what it is.

No complaints here either.

> Here?s our rewrite!

Thanks for the feedback!

Received on Friday, 4 April 2008 10:54:55 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:01 UTC