[html5] r788 - /

whatwg at whatwg.org whatwg at whatwg.org
Fri Apr 27 19:32:53 PDT 2007


Author: ianh
Date: 2007-04-27 19:32:52 -0700 (Fri, 27 Apr 2007)
New Revision: 788

Modified:
   index
   source
Log:
[o] (2) postMessage() is on Document today; do we want to move it to Window?

Modified: index
===================================================================
--- index	2007-04-27 23:07:10 UTC (rev 787)
+++ index	2007-04-28 02:32:52 UTC (rev 788)
@@ -22,7 +22,7 @@
 
    <h1 id=web-applications>Web Applications 1.0</h1>
 
-   <h2 class="no-num no-toc" id=working>Working Draft — 27 April 2007</h2>
+   <h2 class="no-num no-toc" id=working>Working Draft — 28 April 2007</h2>
 
    <p>You can take part in this work. <a
     href="http://www.whatwg.org/mailing-list">Join the working group's
@@ -2356,9 +2356,14 @@
    <code>Document</code>'s origin, with the following exceptions:
 
   <ul>
-   <li>No exceptions.
+   <li>The <code title=dom-document-postMessage><a
+    href="#postmessage">postMessage()</a></code> method must be allowed to be
+    called from any script.
   </ul>
 
+  <p class=big-issue>We may want to just put postMessage on Window instead of
+   Document, as that reduces the XSS risk.
+
   <h4 id=resource><span class=secno>2.1.2. </span><dfn id=resource0>Resource
    metadata management</dfn></h4>
 
@@ -31789,6 +31794,9 @@
    to communicate with each other regardless of their source domain, in a way
    designed to not enable cross-site scripting attacks.
 
+  <p class=big-issue>We may want to just put postMessage on Window instead of
+   Document, as that reduces the XSS risk.
+
   <h4 id=processing1><span class=secno>6.4.1. </span>Processing model</h4>
 
   <p>When a script invokes the <dfn id=postmessage

Modified: source
===================================================================
--- source	2007-04-27 23:07:10 UTC (rev 787)
+++ source	2007-04-28 02:32:52 UTC (rev 788)
@@ -954,11 +954,17 @@
   <code>Document</code>'s origin, with the following exceptions:</p>
 
   <ul>
-   <li>No exceptions.
+
+   <li>The <code title="dom-document-postMessage">postMessage()</code>
+   method must be allowed to be called from any script.
+
   </ul>
 
+  <p class="big-issue">We may want to just put postMessage on Window
+  instead of Document, as that reduces the XSS risk.</p>
 
 
+
   <h4><dfn>Resource metadata management</dfn></h4>
 
   <p>The <dfn title="dom-document-URL"><code>URL</code></dfn>
@@ -29213,6 +29219,8 @@
   domain, in a way designed to not enable cross-site scripting
   attacks.</p>
 
+  <p class="big-issue">We may want to just put postMessage on Window
+  instead of Document, as that reduces the XSS risk.</p>
 
   <h4>Processing model</h4>
 




More information about the Commit-Watchers mailing list