[whatwg] IE Team Feedback on HTML 5.0 Cross Document Messaging

Sunava Dutta wrote:
> ?        The language in http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html overpromises the security of this feature and we recommend a revision. The current language implies that cross site scripting attacks are not possible. This is not correct since a developer can receive script from a postmessage and run it in the DOM.

I don't really think it's an overpromise, but there's nothing wrong with paranoia (I've already clearly indicted myself with <http://developer.mozilla.org/en/docs/DOM:window.postMessage> :-) ).  I wouldn't add it myself, but if people are more comfortable with it than with the current wording, no complaints here.

> ?        We?re glad to see the e.URI gone. It exposed too much potentially dangerous information.

No complaints there, once I read the rationale behind the change.

> ?       For the postMessage (message, origin) method we would recommend the parameter be called postMessage(message, targetOrigin) since it?s easier to understand what it is.

No complaints here either.

> Here?s our rewrite!

Thanks for the feedback!


Received on Friday, 4 April 2008 10:54:55 UTC