W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2011

[whatwg] Fixing two security vulnerabilities in registerProtocolHandler

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 27 Sep 2011 00:44:25 -0700
Message-ID: <CA+c2ei9DwfXkNU4FqywnvrFYzE9sZ--B2QxvGbadQYFYN2W92Q@mail.gmail.com>
On Mon, Sep 26, 2011 at 11:48 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 9/26/11 2:09 PM, Tyler Close wrote:
>> I suggest fixing this problem by adding a new
>> readonly DOMString that contains the correct origin for the
>> postMessage invocation; perhaps document.origin.
>
> I would be somewhat in favor of this.

Yeah, this seems like a good idea. Given how often we use origins
internally, I would be surprised if this isn't something that pages
need to do too.

/ Jonas
Received on Tuesday, 27 September 2011 00:44:25 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:36 UTC