<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
 /* List Definitions */
 @list l0
        {mso-list-id:1609384709;
        mso-list-template-ids:-1435880802;}
@list l0:level1
        {mso-level-tab-stop:.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level2
        {mso-level-tab-stop:1.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level3
        {mso-level-tab-stop:1.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level4
        {mso-level-tab-stop:2.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-tab-stop:2.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-tab-stop:3.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level7
        {mso-level-tab-stop:3.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-tab-stop:4.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-tab-stop:4.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoListParagraph style='margin-left:.25in;text-indent:-.25in'><span
style='color:#1F497D'>This is a compelling feature and will greatly ease
developer pains around cross frame communication hacks. -</span><span
style='font-family:Wingdings;color:#1F497D'>J</span><o:p></o:p></p>

<p class=MsoListParagraph style='text-indent:-.25in'><span style='font-family:
Symbol;color:#1F497D'>·</span><span style='font-size:7.0pt;font-family:"Times New Roman","serif";
color:#1F497D'>        </span><span
style='color:#1F497D'>The language in <a
href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html"
target="_blank">http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html</a>
overpromises the security of this feature and we recommend a revision. The
current language implies that cross site scripting attacks are not possible.
This is not correct since a developer can receive script from a postmessage and
run it in the DOM.</span><o:p></o:p></p>

<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in'><span
style='font-family:"Courier New";color:black'>o</span><span style='font-size:
7.0pt;font-family:"Times New Roman","serif";color:black'>   </span><span
style='font-family:"Arial","sans-serif";color:black'>This section introduces a
messaging system that allows documents to communicate with each other
regardless of their source domain, in a way designed to </span><s><span
style='font-family:"Arial","sans-serif";color:red'>not enable cross-site
scripting attacks </span></s><span style='font-family:"Arial","sans-serif";
color:black'> enable prevention of script injection attacks.</span><o:p></o:p></p>

<p class=MsoListParagraph style='text-indent:-.25in'><span style='font-family:
Symbol;color:#1F497D'>·</span><span style='font-size:7.0pt;font-family:"Times New Roman","serif";
color:#1F497D'>        </span><span
style='color:#1F497D'>We’re glad to see the e.URI gone. It exposed too
much potentially dangerous information.</span><o:p></o:p></p>

<p class=MsoListParagraph style='text-indent:-.25in'><span style='font-family:
Symbol;color:#1F497D'>·</span><span style='font-size:7.0pt;font-family:"Times New Roman","serif";
color:#1F497D'>       </span><span style='color:#1F497D'>For the
postMessage (message, origin) method we would recommend the parameter be called
postMessage(message, </span><span style='color:red'>targetOrigin</span><span
style='color:#1F497D'>) since it’s easier to understand what it is. </span><o:p></o:p></p>

<p class=MsoNormal> <o:p></o:p></p>

<p class=MsoNormal><span style='color:#1F497D'>Here’s our rewrite!</span><o:p></o:p></p>

<p class=MsoNormal><span style='color:#1F497D'>Cheers,</span><o:p></o:p></p>

<p class=MsoNormal> <o:p></o:p></p>

<p class=MsoNormal> <o:p></o:p></p>

<p class=MsoNormal><b><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>6.4.1
Processing model</span></b><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>When
a script invokes the </span><i><span style='font-size:10.0pt;font-family:"Courier New"'>postMessage(message,
<span style='color:red'>targetOrigin</span>)</span></i><span style='font-size:
12.0pt;font-family:"Times New Roman","serif"'> method on a </span><span
style='font-size:10.0pt;font-family:"Courier New"'><a
href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-the-default0.html#window"
target="_blank">Window</a></span><span style='font-size:12.0pt;font-family:
"Times New Roman","serif"'> object, the user agent must follow these steps: </span><o:p></o:p></p>

<ol style='margin-top:0in' start=1 type=1>
 <li class=MsoNormal style='mso-list:l0 level1 lfo1'><span style='font-size:
     12.0pt;font-family:"Times New Roman","serif"'>Let <i>target</i> be the </span><span
     style='font-size:10.0pt;font-family:"Courier New"'>Document</span><span
     style='font-size:12.0pt;font-family:"Times New Roman","serif"'> object
     that is the <a
     href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-windows.html#active"
     target="_blank">active document</a> of the </span><span style='font-size:
     10.0pt;font-family:"Courier New"'><a
     href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-the-default0.html#window"
     target="_blank">Window</a></span><span style='font-size:12.0pt;font-family:
     "Times New Roman","serif"'> object on which the method was invoked. </span><o:p></o:p></li>
 <li class=MsoNormal style='mso-list:l0 level1 lfo1'><span style='font-size:
     12.0pt;font-family:"Times New Roman","serif"'>If the </span><i><span
     style='font-size:10.0pt;font-family:"Courier New"'>targetOrigin</span></i><span
     style='font-size:12.0pt;font-family:"Times New Roman","serif"'> argument
     is present and not null, run these substeps:</span> <o:p></o:p></li>
 <ol style='margin-top:0in' start=1 type=1>
  <li class=MsoNormal style='mso-list:l0 level2 lfo1'><span style='font-size:
      12.0pt;font-family:"Times New Roman","serif"'>If the value of the </span><i><span
      style='font-size:10.0pt;font-family:"Courier New"'>targetOrigin</span></i><span
      style='font-size:12.0pt;font-family:"Times New Roman","serif"'> argument
      is not a valid URI or IRI, then throw a </span><span style='font-size:
      10.0pt;font-family:"Courier New"'>SYNTAX_ERR</span><span
      style='font-size:12.0pt;font-family:"Times New Roman","serif"'> exception
      and abort the overall set of steps. <a
      href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#refsRFC3490"
      target="_blank">[RFC3986]</a> <a
      href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#refsRFC3490"
      target="_blank">[RFC3987]</a> </span><o:p></o:p></li>
  <li class=MsoNormal style='mso-list:l0 level2 lfo1'><span style='font-size:
      12.0pt;font-family:"Times New Roman","serif"'>If the <a
      href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-scripting.html#origin0"
      target="_blank">origin</a> of the <i>target</i> document is not a
      scheme/host/port tuple, then abort the overall set of steps silently. </span><o:p></o:p></li>
  <li class=MsoNormal style='mso-list:l0 level2 lfo1'><span style='font-size:
      12.0pt;font-family:"Times New Roman","serif"'>Otherwise, let </span><i><span
      style='font-size:10.0pt;font-family:"Courier New"'>targetOrigin</span></i><span
      style='font-size:12.0pt;font-family:"Times New Roman","serif"'> be the
      URI or IRI parsed from the </span><i><span style='font-size:10.0pt;
      font-family:"Courier New"'>targetOrigin</span></i><span style='font-size:
      12.0pt;font-family:"Times New Roman","serif"'> argument. <a
      href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#refsRFC3490"
      target="_blank">[RFC3986]</a> <a
      href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#refsRFC3490"
      target="_blank">[RFC3987]</a> </span><o:p></o:p></li>
  <li class=MsoNormal style='mso-list:l0 level2 lfo1'><span style='font-size:
      12.0pt;font-family:"Times New Roman","serif"'>If </span><i><span
      style='font-size:10.0pt;font-family:"Courier New"'>targetOrigin</span></i><span
      style='font-size:12.0pt;font-family:"Times New Roman","serif"'> uses a
      URI scheme that does not have a server-based naming authority, then abort
      the overall set of steps silently. <a
      href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#refsRFC3490"
      target="_blank">[RFC3986]</a> </span><o:p></o:p></li>
  <li class=MsoNormal style='mso-list:l0 level2 lfo1'><span style='font-size:
      12.0pt;font-family:"Times New Roman","serif"'>Let <i>desired scheme</i>
      be the <scheme> component of </span><i><span style='font-size:10.0pt;
      font-family:"Courier New"'>targetOrigin</span></i><span style='font-size:
      12.0pt;font-family:"Times New Roman","serif"'>. </span><o:p></o:p></li>
  <li class=MsoNormal style='mso-list:l0 level2 lfo1'><span style='font-size:
      12.0pt;font-family:"Times New Roman","serif"'>Let <i>desired host</i> be
      the <host> or <ihost> part of </span><i><span
      style='font-size:10.0pt;font-family:"Courier New"'>targetOrigin</span></i><span
      style='font-size:12.0pt;font-family:"Times New Roman","serif"'>, with the
      ToAscii algorithm applied. <a
      href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#refsRFC3490"
      target="_blank">[RFC3490]</a> </span><o:p></o:p></li>
  <li class=MsoNormal style='mso-list:l0 level2 lfo1'><span style='font-size:
      12.0pt;font-family:"Times New Roman","serif"'>Let <i>desired port</i> be
      the <port> component of </span><i><span style='font-size:10.0pt;
      font-family:"Courier New"'>targetOrigin</span></i><span style='font-size:
      12.0pt;font-family:"Times New Roman","serif"'>, or, if there isn't one,
      the default port for <i>desired scheme</i>. </span><o:p></o:p></li>
  <li class=MsoNormal style='mso-list:l0 level2 lfo1'><span style='font-size:
      12.0pt;font-family:"Times New Roman","serif"'>If <i>desired scheme</i> is
      not the same as the scheme component of the <a
      href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-scripting.html#origin0"
      target="_blank">origin</a> of the <i>target</i> document, then abort the
      overall set of steps silently. </span><o:p></o:p></li>
  <li class=MsoNormal style='mso-list:l0 level2 lfo1'><span style='font-size:
      12.0pt;font-family:"Times New Roman","serif"'>If <i>desired host</i> is
      not the same as the host component of the <a
      href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-scripting.html#origin0"
      target="_blank">origin</a> of the <i>target</i> document, after having
      the ToAscii algorithm applied, then abort the overall set of steps
      silently. <a
      href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#refsRFC3490"
      target="_blank">[RFC3490]</a> </span><o:p></o:p></li>
  <li class=MsoNormal style='mso-list:l0 level2 lfo1'><span style='font-size:
      12.0pt;font-family:"Times New Roman","serif"'>If <i>desired port</i> is
      not the same as the port component of the <a
      href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-scripting.html#origin0"
      target="_blank">origin</a> of the <i>target</i> document, then abort the
      overall set of steps silently. </span><o:p></o:p></li>
 </ol>
 <li class=MsoNormal style='mso-list:l0 level1 lfo1'><span style='font-size:
     12.0pt;font-family:"Times New Roman","serif"'>Create an event that uses
     the </span><span style='font-size:10.0pt;font-family:"Courier New"'><a
     href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-event1.html#messageevent"
     target="_blank">MessageEvent</a></span><span style='font-size:12.0pt;
     font-family:"Times New Roman","serif"'> interface, with the event name </span><span
     style='font-size:10.0pt;font-family:"Courier New"'><a
     href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-event1.html#message0"
     target="_blank">message</a></span><span style='font-size:12.0pt;
     font-family:"Times New Roman","serif"'>, which bubbles, is cancelable, and
     has no default action. The </span><span style='font-size:10.0pt;
     font-family:"Courier New"'><a
     href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-event1.html#data4"
     target="_blank">data</a></span><span style='font-size:12.0pt;font-family:
     "Times New Roman","serif"'> attribute must be set to the value passed as
     the <i>message</i> argument to the </span><span style='font-size:10.0pt;
     font-family:"Courier New"'><a
     href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#postmessage"
     target="_blank">postMessage()</a></span><span style='font-size:12.0pt;
     font-family:"Times New Roman","serif"'> method, the </span><span
     style='font-size:10.0pt;font-family:"Courier New"'>origin</span><span
     style='font-size:12.0pt;font-family:"Times New Roman","serif"'> attribute
     must be set to the <a
     href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-scripting.html#origin0"
     target="_blank">origin</a> of the document that the script that invoked
     the methods is associated with, and the </span><span style='font-size:
     10.0pt;font-family:"Courier New"'><a
     href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-event1.html#source2"
     target="_blank">source</a></span><span style='font-size:12.0pt;font-family:
     "Times New Roman","serif"'> attribute must be set to the </span><span
     style='font-size:10.0pt;font-family:"Courier New"'><a
     href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-the-default0.html#window"
     target="_blank">Window</a></span><span style='font-size:12.0pt;font-family:
     "Times New Roman","serif"'> object of the default view of the browsing
     context with which that document is associated.</span> <o:p></o:p></li>
 <li class=MsoNormal style='mso-list:l0 level1 lfo1'><span style='font-size:
     12.0pt;font-family:"Times New Roman","serif"'>Dispatch the event created
     in the previous step at the <i>target</i> document. </span><o:p></o:p></li>
</ol>

<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>The
</span><span style='font-size:10.0pt;font-family:"Courier New"'><a
href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#postmessage"
target="_blank">postMessage()</a></span><span style='font-size:12.0pt;
font-family:"Times New Roman","serif"'> method must only return once the event
dispatch has been completely processed by the target document (i.e. all three
of the capture, target, and bubble phases have been done, and event listeners
have been executed as appropriate). </span><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Authors
should check the </span><span style='font-size:10.0pt;font-family:"Courier New"'>origin</span><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'> attribute to ensure
that messages are only accepted from domains that they expect to receive
messages from. Otherwise, bugs in the author's message handling code could be
exploited by hostile sites. </span><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Authors
should include the </span><i><span style='font-size:10.0pt;font-family:"Courier New"'>targetOrigin</span></i><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'> argument in
messages that contain any confidential information, to make sure that the
message is only delivered to the recipient to which it was intended. </span><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>For
example, if document A contains an </span><span style='font-size:10.0pt;
font-family:"Courier New"'><a
href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-embedded0.html#object"
target="_blank">object</a></span><span style='font-size:12.0pt;font-family:
"Times New Roman","serif"'> element that contains document B, and script in
document A calls </span><span style='font-size:10.0pt;font-family:"Courier New"'><a
href="http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#postmessage"
target="_blank">postMessage()</a></span><span style='font-size:12.0pt;
font-family:"Times New Roman","serif"'> on document B, then a message event
will be fired on that element, marked as originating from document A. The
script in document A might look like:</span><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>var
o = document.getElementsByTagName('object')[0];</span><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>o.contentWindow.postMessage('Hello
world', 'http://b.example.com');</span><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>To
register an event handler for incoming events, the script would use </span><span
style='font-size:10.0pt;font-family:"Courier New"'>addEventListener()</span><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'> (or similar
mechanisms). For example, the script in document B might look like:</span><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>document.addEventListener('message',
receiver, false);</span><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>function
receiver(e) {</span><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'> 
if (e.origin == 'http://a.example.com') {</span><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>   
if (e.data == 'Hello world') {</span><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>     
e.source.postMessage('Hello', e.origin);</span><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>   
} else {</span><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>     
alert(e.data);</span><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>   
}</span><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'> 
}</span><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>}</span><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>This
script first checks that the domain is the expected domain, and then looks
at the message, which it either displays to the user, or responds to by sending
a message back to the document which sent the message in the first place.</span><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>The
integrity of this API is based on the inability for scripts of one origin to
post arbitrary events (using </span><span style='font-size:10.0pt;font-family:
"Courier New"'>dispatchEvent()</span><span style='font-size:12.0pt;font-family:
"Times New Roman","serif"'> or otherwise) to objects in other origins. </span><o:p></o:p></p>

<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Implementors
are urged to take extra care in the implementation of this feature. It allows
authors to transmit information from one domain to another domain, which is
normally disallowed for security reasons. It also requires that UAs be careful
to allow access to certain properties but not others. </span><o:p></o:p></p>

<p class=MsoNormal><o:p> </o:p></p>

<p class=MsoNormal><o:p> </o:p></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>--
<br>
<b>Sunava D</b>utta<br>
Program Manager (AJAX) - Developer Experience Team, Internet Explorer<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>One
Microsoft Way, Redmond WA 98052<br>
TEL# (425) 705-1418 <o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>FAX#
(425) 936-7329</span><o:p></o:p></p>

<p class=MsoNormal><o:p> </o:p></p>

</div>

</body>

</html>