- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 14 Jul 2010 18:45:04 -0700
On Wed, Jul 14, 2010 at 5:18 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote: > On 7/14/10 6:40 PM, Hallvord R M Steen wrote: >> >> My personal opinion is that protocol+host+port is better, simply >> because authors might assume the path is significant (i.e. think that >> 'http://www.geocities.com/foo' and 'http://www.geocities.com/bar' >> would be different origins). Allowing paths that are simply ignored >> might muddle the "origin" concept - not a major problem, but a small >> potential point of confusion. > > I've actually used urls with a path for the origin; specifically when I > wanted to pass in "the origin of this page". ?In particular, I passed in > location.href. > > I'm fine with removing the ability to pass in a path _if_ we create a simple > way for scripts to get origins from pages which can then be passed for this > argument. ?The alternative is that scripts will be parsing location.href > themselves to extract the thing to pass as the origin string, which is just > asking for security fail in my experience. Personally, I think we should stop screwing with postMessage and let it be a stable enough API that folks can rely upon it. Adam
Received on Wednesday, 14 July 2010 18:45:04 UTC