W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2012

[whatwg] [Cross-document messaging] Restrictions on targetOrigin

From: João Eiras <joaoe@opera.com>
Date: Fri, 10 Feb 2012 17:09:03 +0100
Message-ID: <op.v9g0hdal2q99of@joaoe>


Step 1 of the spec [1] for postMessage says:

"1. If the value of the targetOrigin argument is neither a single U+002A  
ASTERISK character (*), a single U+002F SOLIDUS character (/), nor an  
absolute URL, then throw a SyntaxError exception and abort the overall set  
of steps."

The absolute URL part will create problems when the origin of the  
scripting environment does not serialize to an absolute URL.

For instance, if you have two documents A and B in a non http context,  
where typically the origin will be "null", like file: or data:, and post a  
message from A to B, B will receive a message event which event.origin  
property has a value of "null".
If the listener then does

# event.source.postMessage(reply, event.origin)

(which is a code snippet easily found in online tutorials) step 1 causes  
that call to fail with a SYNTAX_ERR exception.

Step 1 should be changed to instead of referring to an absolute URI, refer  
to a valid origin, as serialized by the origin serialization algorithm.

Thoughts ?

Received on Friday, 10 February 2012 08:09:03 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:39 UTC