- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 14 Jul 2010 15:45:14 -0700
On Wed, Jul 14, 2010 at 3:40 PM, Hallvord R M Steen <hallvors at gmail.com> wrote: > Hi, > the way I read the spec, the target origin argument for > window.postMessage should be a protocol, host name and optionally port > number - in other words > > window.postMessage( 'foo', 'http://www.example.com' ) > or > window.postMessage( 'foo', 'http://www.example.com:81' ) > > However, it has come to my attention that both WebKit and Gecko's > implementation of postMessage() allows a full URL with path: > > window.postMessage( 'foo', 'http://www.example.com/path/goes/here/' ) > > Isn't this a violation of the spec? > > My personal opinion is that protocol+host+port is better, simply > because authors might assume the path is significant (i.e. think that > 'http://www.geocities.com/foo' and 'http://www.geocities.com/bar' > would be different origins). Allowing paths that are simply ignored > might muddle the "origin" concept - not a major problem, but a small > potential point of confusion. > > Opera follows the spec (as I read it) and throws an exception if a URL > with a path is used, but I've recently come across two different > scripts breaking in Opera because of this issue. I think it's very > important to get this clarified and hopefully fixed in WebKit and > Gecko before usage is too common and we have to modify the spec to > allow it :-(. (We're already discussing fixes with the two broken > sites). > > Any comments from Mozilla and WebKit developers on the list? > > P.S.: we reported some bugs for you, in case you agree with our > reading and want to fix it :-) > https://bugs.webkit.org/show_bug.cgi?id=42170 > https://bugzilla.mozilla.org/show_bug.cgi?id=578380 My understanding is that this was a requirement from the spec. An unfortunate one at that. However when I found out it was too late to get the spec changed as multiple implementations had already shipped. / Jonas
Received on Wednesday, 14 July 2010 15:45:14 UTC