[html5] r4720 - [agiow] (2) Change postMessage()'s targetOrigin argument to not actually resolve [...]
whatwg at whatwg.org
whatwg at whatwg.org
Sat Feb 13 21:44:03 PST 2010
Author: ianh
Date: 2010-02-13 21:44:01 -0800 (Sat, 13 Feb 2010)
New Revision: 4720
Modified:
complete.html
index
source
Log:
[agiow] (2) Change postMessage()'s targetOrigin argument to not actually resolve but to just treat '/' specially. This will mean that targetOrigin can no longer be in the form '//example.com/' and can no longer be the empty string.
Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=8490
Modified: complete.html
===================================================================
--- complete.html 2010-02-14 05:29:12 UTC (rev 4719)
+++ complete.html 2010-02-14 05:44:01 UTC (rev 4720)
@@ -68368,7 +68368,9 @@
<p>If the origin of the target window doesn't match the given
origin, the message is discarded, to avoid information leakage. To
send the message to the target regardless of origin, set the
- target origin to "<code title="">*</code>".</p>
+ target origin to "<code title="">*</code>". To restrict the
+ message to same-origin targets only, without needing to explicitly
+ state the origin, set the target origin to "<code title="">/</code>".</p>
<p>Throws an <code><a href=#invalid_state_err>INVALID_STATE_ERR</a></code> if the <var title="">ports</var> array is not null and it contains either null
entries or duplicate ports.</p>
@@ -68384,11 +68386,10 @@
<ol><li>
<p>If the value of the <var title="">targetOrigin</var> argument
- is not a single U+002A ASTERISK character (*), and <a href=#resolve-a-url title="resolve a url">resolving</a> it relative to the
- <a href=#entry-script>entry script</a>'s <a href="#script's-base-url" title="script's base URL">base
- URL</a> either fails or results in a <a href=#url>URL</a> with a
+ is neither a single U+002A ASTERISK character (*), a single U+002F
+ SOLIDUS character (/), nor an <a href=#absolute-url>absolute URL</a> with a
<code title=url-host-specific><a href=#url-host-specific><host-specific></a></code>
- component that is neither empty nor a single U+002F SOLIDUS
+ component that is either empty or a single U+002F SOLIDUS
character (/), then throw a <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception and
abort the overall set of steps.</p>
@@ -68411,13 +68412,23 @@
<li>
- <p>If the <var title="">targetOrigin</var> argument has a value
- other than a single literal U+002A ASTERISK character (*), and
- the <code>Document</code> of the <code><a href=#window>Window</a></code> object on
- which the method was invoked does not have the <a href=#same-origin>same
- origin</a> as <var title="">targetOrigin</var>, then abort
- these steps silently.</p>
+ <p>If the <var title="">targetOrigin</var> argument is a single
+ literal U+002F SOLIDUS character (/), and the
+ <code>Document</code> of the <code><a href=#window>Window</a></code> object on which
+ the method was invoked does not have the <a href=#same-origin>same origin</a>
+ as the <a href=#entry-script>entry script</a>'s <a href="#script's-browsing-context" title="script's browsing
+ context">browsing context</a>, then abort these steps
+ silently.</p>
+ <p>Otherwise, if the <var title="">targetOrigin</var> argument is
+ an <a href=#absolute-url>absolute URL</a>, and the <code>Document</code> of the
+ <code><a href=#window>Window</a></code> object on which the method was invoked does
+ not have the <a href=#same-origin>same origin</a> as <var title="">targetOrigin</var>, then abort these steps silently.</p>
+
+ <p>Otherwise, the <var title="">targetOrigin</var> argument is a
+ single literal U+002A ASTERISK character (*), and no origin check
+ is made.</p>
+
</li>
<li>
@@ -68458,11 +68469,10 @@
<ol><!-- EXCEPT WHERE NOTED, THESE STEPS ARE IDENTICAL TO THE PREVIOUS SECTION --><!-- one exception is the use of -3 instead of -2 in the xrefs --><li>
<p>If the value of the <var title="">targetOrigin</var> argument
- is not a single U+002A ASTERISK character (*), and <a href=#resolve-a-url title="resolve a url">resolving</a> it relative to the
- <a href=#entry-script>entry script</a>'s <a href="#script's-base-url" title="script's base URL">base
- URL</a> either fails or results in a <a href=#url>URL</a> with a
+ is neither a single U+002A ASTERISK character (*), a single U+002F
+ SOLIDUS character (/), nor an <a href=#absolute-url>absolute URL</a> with a
<code title=url-host-specific><a href=#url-host-specific><host-specific></a></code>
- component that is neither empty nor a single U+002F SOLIDUS
+ component that is either empty or a single U+002F SOLIDUS
character (/), then throw a <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception and
abort the overall set of steps.</p>
@@ -68519,13 +68529,23 @@
<li>
- <p>If the <var title="">targetOrigin</var> argument has a value
- other than a single literal U+002A ASTERISK character (*), and
- the <code>Document</code> of the <code><a href=#window>Window</a></code> object on
- which the method was invoked does not have the <a href=#same-origin>same
- origin</a> as <var title="">targetOrigin</var>, then abort
- these steps silently.</p>
+ <p>If the <var title="">targetOrigin</var> argument is a single
+ literal U+002F SOLIDUS character (/), and the
+ <code>Document</code> of the <code><a href=#window>Window</a></code> object on which
+ the method was invoked does not have the <a href=#same-origin>same origin</a>
+ as the <a href=#entry-script>entry script</a>'s <a href="#script's-browsing-context" title="script's browsing
+ context">browsing context</a>, then abort these steps
+ silently.</p>
+ <p>Otherwise, if the <var title="">targetOrigin</var> argument is
+ an <a href=#absolute-url>absolute URL</a>, and the <code>Document</code> of the
+ <code><a href=#window>Window</a></code> object on which the method was invoked does
+ not have the <a href=#same-origin>same origin</a> as <var title="">targetOrigin</var>, then abort these steps silently.</p>
+
+ <p>Otherwise, the <var title="">targetOrigin</var> argument is a
+ single literal U+002A ASTERISK character (*), and no origin check
+ is made.</p>
+
</li>
<li>
Modified: index
===================================================================
--- index 2010-02-14 05:29:12 UTC (rev 4719)
+++ index 2010-02-14 05:44:01 UTC (rev 4720)
@@ -63379,7 +63379,9 @@
<p>If the origin of the target window doesn't match the given
origin, the message is discarded, to avoid information leakage. To
send the message to the target regardless of origin, set the
- target origin to "<code title="">*</code>".</p>
+ target origin to "<code title="">*</code>". To restrict the
+ message to same-origin targets only, without needing to explicitly
+ state the origin, set the target origin to "<code title="">/</code>".</p>
<p>Throws an <code><a href=#invalid_state_err>INVALID_STATE_ERR</a></code> if the <var title="">ports</var> array is not null and it contains either null
entries or duplicate ports.</p>
@@ -63395,11 +63397,10 @@
<ol><li>
<p>If the value of the <var title="">targetOrigin</var> argument
- is not a single U+002A ASTERISK character (*), and <a href=#resolve-a-url title="resolve a url">resolving</a> it relative to the
- <a href=#entry-script>entry script</a>'s <a href="#script's-base-url" title="script's base URL">base
- URL</a> either fails or results in a <a href=#url>URL</a> with a
+ is neither a single U+002A ASTERISK character (*), a single U+002F
+ SOLIDUS character (/), nor an <a href=#absolute-url>absolute URL</a> with a
<code title=url-host-specific><a href=#url-host-specific><host-specific></a></code>
- component that is neither empty nor a single U+002F SOLIDUS
+ component that is either empty or a single U+002F SOLIDUS
character (/), then throw a <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception and
abort the overall set of steps.</p>
@@ -63422,13 +63423,23 @@
<li>
- <p>If the <var title="">targetOrigin</var> argument has a value
- other than a single literal U+002A ASTERISK character (*), and
- the <code>Document</code> of the <code><a href=#window>Window</a></code> object on
- which the method was invoked does not have the <a href=#same-origin>same
- origin</a> as <var title="">targetOrigin</var>, then abort
- these steps silently.</p>
+ <p>If the <var title="">targetOrigin</var> argument is a single
+ literal U+002F SOLIDUS character (/), and the
+ <code>Document</code> of the <code><a href=#window>Window</a></code> object on which
+ the method was invoked does not have the <a href=#same-origin>same origin</a>
+ as the <a href=#entry-script>entry script</a>'s <a href="#script's-browsing-context" title="script's browsing
+ context">browsing context</a>, then abort these steps
+ silently.</p>
+ <p>Otherwise, if the <var title="">targetOrigin</var> argument is
+ an <a href=#absolute-url>absolute URL</a>, and the <code>Document</code> of the
+ <code><a href=#window>Window</a></code> object on which the method was invoked does
+ not have the <a href=#same-origin>same origin</a> as <var title="">targetOrigin</var>, then abort these steps silently.</p>
+
+ <p>Otherwise, the <var title="">targetOrigin</var> argument is a
+ single literal U+002A ASTERISK character (*), and no origin check
+ is made.</p>
+
</li>
<li>
@@ -63469,11 +63480,10 @@
<ol><!-- EXCEPT WHERE NOTED, THESE STEPS ARE IDENTICAL TO THE PREVIOUS SECTION --><!-- one exception is the use of -3 instead of -2 in the xrefs --><li>
<p>If the value of the <var title="">targetOrigin</var> argument
- is not a single U+002A ASTERISK character (*), and <a href=#resolve-a-url title="resolve a url">resolving</a> it relative to the
- <a href=#entry-script>entry script</a>'s <a href="#script's-base-url" title="script's base URL">base
- URL</a> either fails or results in a <a href=#url>URL</a> with a
+ is neither a single U+002A ASTERISK character (*), a single U+002F
+ SOLIDUS character (/), nor an <a href=#absolute-url>absolute URL</a> with a
<code title=url-host-specific><a href=#url-host-specific><host-specific></a></code>
- component that is neither empty nor a single U+002F SOLIDUS
+ component that is either empty or a single U+002F SOLIDUS
character (/), then throw a <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception and
abort the overall set of steps.</p>
@@ -63530,13 +63540,23 @@
<li>
- <p>If the <var title="">targetOrigin</var> argument has a value
- other than a single literal U+002A ASTERISK character (*), and
- the <code>Document</code> of the <code><a href=#window>Window</a></code> object on
- which the method was invoked does not have the <a href=#same-origin>same
- origin</a> as <var title="">targetOrigin</var>, then abort
- these steps silently.</p>
+ <p>If the <var title="">targetOrigin</var> argument is a single
+ literal U+002F SOLIDUS character (/), and the
+ <code>Document</code> of the <code><a href=#window>Window</a></code> object on which
+ the method was invoked does not have the <a href=#same-origin>same origin</a>
+ as the <a href=#entry-script>entry script</a>'s <a href="#script's-browsing-context" title="script's browsing
+ context">browsing context</a>, then abort these steps
+ silently.</p>
+ <p>Otherwise, if the <var title="">targetOrigin</var> argument is
+ an <a href=#absolute-url>absolute URL</a>, and the <code>Document</code> of the
+ <code><a href=#window>Window</a></code> object on which the method was invoked does
+ not have the <a href=#same-origin>same origin</a> as <var title="">targetOrigin</var>, then abort these steps silently.</p>
+
+ <p>Otherwise, the <var title="">targetOrigin</var> argument is a
+ single literal U+002A ASTERISK character (*), and no origin check
+ is made.</p>
+
</li>
<li>
Modified: source
===================================================================
--- source 2010-02-14 05:29:12 UTC (rev 4719)
+++ source 2010-02-14 05:44:01 UTC (rev 4720)
@@ -76885,7 +76885,10 @@
<p>If the origin of the target window doesn't match the given
origin, the message is discarded, to avoid information leakage. To
send the message to the target regardless of origin, set the
- target origin to "<code title="">*</code>".</p>
+ target origin to "<code title="">*</code>". To restrict the
+ message to same-origin targets only, without needing to explicitly
+ state the origin, set the target origin to "<code
+ title="">/</code>".</p>
<p>Throws an <code>INVALID_STATE_ERR</code> if the <var
title="">ports</var> array is not null and it contains either null
@@ -76909,12 +76912,10 @@
<li>
<p>If the value of the <var title="">targetOrigin</var> argument
- is not a single U+002A ASTERISK character (*), and <span
- title="resolve a url">resolving</span> it relative to the
- <span>entry script</span>'s <span title="script's base URL">base
- URL</span> either fails or results in a <span>URL</span> with a
+ is neither a single U+002A ASTERISK character (*), a single U+002F
+ SOLIDUS character (/), nor an <span>absolute URL</span> with a
<code title="url-host-specific"><host-specific></code>
- component that is neither empty nor a single U+002F SOLIDUS
+ component that is either empty or a single U+002F SOLIDUS
character (/), then throw a <code>SYNTAX_ERR</code> exception and
abort the overall set of steps.</p>
@@ -76939,13 +76940,24 @@
<li>
- <p>If the <var title="">targetOrigin</var> argument has a value
- other than a single literal U+002A ASTERISK character (*), and
- the <code>Document</code> of the <code>Window</code> object on
- which the method was invoked does not have the <span>same
- origin</span> as <var title="">targetOrigin</var>, then abort
- these steps silently.</p>
+ <p>If the <var title="">targetOrigin</var> argument is a single
+ literal U+002F SOLIDUS character (/), and the
+ <code>Document</code> of the <code>Window</code> object on which
+ the method was invoked does not have the <span>same origin</span>
+ as the <span>entry script</span>'s <span title="script's browsing
+ context">browsing context</span>, then abort these steps
+ silently.</p>
+ <p>Otherwise, if the <var title="">targetOrigin</var> argument is
+ an <span>absolute URL</span>, and the <code>Document</code> of the
+ <code>Window</code> object on which the method was invoked does
+ not have the <span>same origin</span> as <var
+ title="">targetOrigin</var>, then abort these steps silently.</p>
+
+ <p>Otherwise, the <var title="">targetOrigin</var> argument is a
+ single literal U+002A ASTERISK character (*), and no origin check
+ is made.</p>
+
</li>
<li>
@@ -77001,12 +77013,10 @@
<li>
<p>If the value of the <var title="">targetOrigin</var> argument
- is not a single U+002A ASTERISK character (*), and <span
- title="resolve a url">resolving</span> it relative to the
- <span>entry script</span>'s <span title="script's base URL">base
- URL</span> either fails or results in a <span>URL</span> with a
+ is neither a single U+002A ASTERISK character (*), a single U+002F
+ SOLIDUS character (/), nor an <span>absolute URL</span> with a
<code title="url-host-specific"><host-specific></code>
- component that is neither empty nor a single U+002F SOLIDUS
+ component that is either empty or a single U+002F SOLIDUS
character (/), then throw a <code>SYNTAX_ERR</code> exception and
abort the overall set of steps.</p>
@@ -77068,13 +77078,24 @@
<li>
- <p>If the <var title="">targetOrigin</var> argument has a value
- other than a single literal U+002A ASTERISK character (*), and
- the <code>Document</code> of the <code>Window</code> object on
- which the method was invoked does not have the <span>same
- origin</span> as <var title="">targetOrigin</var>, then abort
- these steps silently.</p>
+ <p>If the <var title="">targetOrigin</var> argument is a single
+ literal U+002F SOLIDUS character (/), and the
+ <code>Document</code> of the <code>Window</code> object on which
+ the method was invoked does not have the <span>same origin</span>
+ as the <span>entry script</span>'s <span title="script's browsing
+ context">browsing context</span>, then abort these steps
+ silently.</p>
+ <p>Otherwise, if the <var title="">targetOrigin</var> argument is
+ an <span>absolute URL</span>, and the <code>Document</code> of the
+ <code>Window</code> object on which the method was invoked does
+ not have the <span>same origin</span> as <var
+ title="">targetOrigin</var>, then abort these steps silently.</p>
+
+ <p>Otherwise, the <var title="">targetOrigin</var> argument is a
+ single literal U+002A ASTERISK character (*), and no origin check
+ is made.</p>
+
</li>
<li>
More information about the Commit-Watchers
mailing list