W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2010

[whatwg] postMessage's target origin argument can be a full URL in some implementations

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 14 Jul 2010 20:18:33 -0400
Message-ID: <4C3E53D9.5000708@mit.edu>
On 7/14/10 6:40 PM, Hallvord R M Steen wrote:
> My personal opinion is that protocol+host+port is better, simply
> because authors might assume the path is significant (i.e. think that
> 'http://www.geocities.com/foo' and 'http://www.geocities.com/bar'
> would be different origins). Allowing paths that are simply ignored
> might muddle the "origin" concept - not a major problem, but a small
> potential point of confusion.

I've actually used urls with a path for the origin; specifically when I 
wanted to pass in "the origin of this page".  In particular, I passed in 
location.href.

I'm fine with removing the ability to pass in a path _if_ we create a 
simple way for scripts to get origins from pages which can then be 
passed for this argument.  The alternative is that scripts will be 
parsing location.href themselves to extract the thing to pass as the 
origin string, which is just asking for security fail in my experience.

-Boris
Received on Wednesday, 14 July 2010 17:18:33 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:24 UTC