[whatwg] Fixing two security vulnerabilities in registerProtocolHandler

Tyler Close tyler.close at gmail.com
Mon Apr 9 16:36:32 PDT 2012


On Mon, Apr 9, 2012 at 4:17 PM, Jonas Sicking <jonas at sicking.cc> wrote:
> Why is this so complicated?
>
> It seems clear to me that there is a use-case for sending a message to
> your parent frame, but only wanting to do so when your parent frame is
> from the same origin as you.

I think there's also a use case for securely sending a message to your
original window.open()'er, such that it can't be intercepted by any
page that can navigate your window.open()'er.

That means a page needs to know the Origin of its window.open()'er,
which may be different from the page's own Origin.

--Tyler


More information about the whatwg mailing list