- From: Tyler Close <tyler.close@gmail.com>
- Date: Tue, 27 Sep 2011 12:27:41 -0700
On Mon, Sep 26, 2011 at 11:09 AM, Tyler Close <tyler.close at gmail.com> wrote: > The second problem with RPH is that the handler page doesn't have a > way of reliably getting the URL of the content to be handled from the > browser. In order to work in offline scenarios, the RPH handler must > put the %s placeholder in the fragment of its handler's URL. > Unfortunately, this means that other content in the browser could > modify the content URL before the handler reads it. Just to clarify, the problem here is the well-known message integrity problem with using window.location.hash for cross-domain messaging. Since window.location.hash can be written to by content from many other origins, the RPH handler can't rely on the window.location.hash containing the content URL specified by the RPH client. Putting a copy of the content URL in window.navigator.action solves this problem. --Tyler
Received on Tuesday, 27 September 2011 12:27:41 UTC