[whatwg] [Cross-document messaging] Restrictions on targetOrigin

João Eiras joaoe at opera.com
Fri Feb 10 08:09:03 PST 2012


Hi.

Step 1 of the spec [1] for postMessage says:

"1. If the value of the targetOrigin argument is neither a single U+002A  
ASTERISK character (*), a single U+002F SOLIDUS character (/), nor an  
absolute URL, then throw a SyntaxError exception and abort the overall set  
of steps."

The absolute URL part will create problems when the origin of the  
scripting environment does not serialize to an absolute URL.

For instance, if you have two documents A and B in a non http context,  
where typically the origin will be "null", like file: or data:, and post a  
message from A to B, B will receive a message event which event.origin  
property has a value of "null".
If the listener then does

# event.source.postMessage(reply, event.origin)

(which is a code snippet easily found in online tutorials) step 1 causes  
that call to fail with a SYNTAX_ERR exception.

Step 1 should be changed to instead of referring to an absolute URI, refer  
to a valid origin, as serialized by the origin serialization algorithm.

Thoughts ?

[1]  
http://www.whatwg.org/specs/web-apps/current-work/multipage/web-messaging.html#posting-messages


More information about the whatwg mailing list