[whatwg] postMessage's target origin argument can be a full URL in some implementations

On Thu, 15 Jul 2010 02:18:33 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote:

> On 7/14/10 6:40 PM, Hallvord R M Steen wrote:
>> My personal opinion is that protocol+host+port is better, simply
>> because authors might assume the path is significant (i.e. think that
>> 'http://www.geocities.com/foo' and 'http://www.geocities.com/bar'
>> would be different origins). Allowing paths that are simply ignored
>> might muddle the "origin" concept - not a major problem, but a small
>> potential point of confusion.
>
> I've actually used urls with a path for the origin; specifically when I  
> wanted to pass in "the origin of this page".  In particular, I passed in  
> location.href.
>
> I'm fine with removing the ability to pass in a path _if_ we create a  
> simple way for scripts to get origins from pages which can then be  
> passed for this argument.

The simple way to pass in the current origin, per spec, is to use the  
string "/".


> The alternative is that scripts will be parsing location.href themselves  
> to extract the thing to pass as the origin string, which is just asking  
> for security fail in my experience.

Even without the special string "/", a simple enough way to construct the  
origin is location.protocol+"//"+location.host.

-- 
Simon Pieters
Opera Software

Received on Thursday, 15 July 2010 00:40:50 UTC