W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2010

[whatwg] postMessage's target origin argument can be a full URL in some implementations

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 14 Jul 2010 18:45:04 -0700
Message-ID: <AANLkTim7IwXlYBKOoEBt-6jon7GPPYAEJCEsbqVjGNOB@mail.gmail.com>
On Wed, Jul 14, 2010 at 5:18 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 7/14/10 6:40 PM, Hallvord R M Steen wrote:
>>
>> My personal opinion is that protocol+host+port is better, simply
>> because authors might assume the path is significant (i.e. think that
>> 'http://www.geocities.com/foo' and 'http://www.geocities.com/bar'
>> would be different origins). Allowing paths that are simply ignored
>> might muddle the "origin" concept - not a major problem, but a small
>> potential point of confusion.
>
> I've actually used urls with a path for the origin; specifically when I
> wanted to pass in "the origin of this page". ?In particular, I passed in
> location.href.
>
> I'm fine with removing the ability to pass in a path _if_ we create a simple
> way for scripts to get origins from pages which can then be passed for this
> argument. ?The alternative is that scripts will be parsing location.href
> themselves to extract the thing to pass as the origin string, which is just
> asking for security fail in my experience.

Personally, I think we should stop screwing with postMessage and let
it be a stable enough API that folks can rely upon it.

Adam
Received on Wednesday, 14 July 2010 18:45:04 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:24 UTC