- From: Jeff Walden <jwalden+whatwg@MIT.EDU>
- Date: Fri, 04 Apr 2008 13:54:55 -0400
Sunava Dutta wrote: > ? The language in http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html overpromises the security of this feature and we recommend a revision. The current language implies that cross site scripting attacks are not possible. This is not correct since a developer can receive script from a postmessage and run it in the DOM. I don't really think it's an overpromise, but there's nothing wrong with paranoia (I've already clearly indicted myself with <http://developer.mozilla.org/en/docs/DOM:window.postMessage> :-) ). I wouldn't add it myself, but if people are more comfortable with it than with the current wording, no complaints here. > ? We?re glad to see the e.URI gone. It exposed too much potentially dangerous information. No complaints there, once I read the rationale behind the change. > ? For the postMessage (message, origin) method we would recommend the parameter be called postMessage(message, targetOrigin) since it?s easier to understand what it is. No complaints here either. > Here?s our rewrite! Thanks for the feedback! Jeff
Received on Friday, 4 April 2008 10:54:55 UTC