[html5] r1487 - /
whatwg at whatwg.org
whatwg at whatwg.org
Thu Apr 24 16:59:48 PDT 2008
Author: ianh
Date: 2008-04-24 16:59:48 -0700 (Thu, 24 Apr 2008)
New Revision: 1487
Modified:
index
source
Log:
[giow] (2) Make postMessage() asynchronous, require its second argument, make '*' be a generic wildcard value.
Modified: index
===================================================================
--- index 2008-04-24 08:58:57 UTC (rev 1486)
+++ index 2008-04-24 23:59:48 UTC (rev 1487)
@@ -26814,8 +26814,7 @@
<a href="#window">Window</a> <a href="#open2" title=dom-open>open</a>(in DOMString url, in DOMString target, in DOMString features, in DOMString replace);
// <a href="#cross-document">cross-document messaging</a>
- void <a href="#postmessage" title=dom-window-postMessage>postMessage</a>(in DOMString message);
- void <a href="#postmessage" title=dom-window-postMessage>postMessage</a>(in DOMString message, in DOMString origin);
+ void <a href="#postmessage" title=dom-window-postMessage>postMessage</a>(in DOMString message, in DOMString targetOrigin);
// <a href="#event4">event handler DOM attributes</a>
attribute <span>EventListener</span> <a href="#onabort" title=handler-onabort>onabort</a>;
@@ -38288,9 +38287,9 @@
<p>When a script invokes the <dfn id=postmessage
title=dom-window-postMessage><code>postMessage(<var
- title="">message</var>, <var title="">origin</var>)</code></dfn> method on
- a <code><a href="#window">Window</a></code> object, the user agent must
- follow these steps:
+ title="">message</var>, <var title="">targetOrigin</var>)</code></dfn>
+ method on a <code><a href="#window">Window</a></code> object, the user
+ agent must follow these steps:
<ol>
<li>
@@ -38299,13 +38298,14 @@
href="#window">Window</a></code> object on which the method was invoked.
<li>
- <p>If the <var title="">origin</var> argument is present and not null,
- run these substeps:</p>
+ <p>If the <var title="">targetOrigin</var> argument has a value other
+ than a single literal U+002A ASTERISK character ("*"), run these
+ substeps:</p>
<ol>
<li>
- <p>If the value of the <var title="">origin</var> argument is not a
- valid URI or IRI, then throw a <code>SYNTAX_ERR</code> exception and
+ <p>If the value of the <var title="">targetOrigin</var> argument is not
+ a valid URI or IRI, then throw a <code>SYNTAX_ERR</code> exception and
abort the overall set of steps. <a href="#refsRFC3490">[RFC3986]</a>
<a href="#refsRFC3490">[RFC3987]</a>
@@ -38315,28 +38315,28 @@
abort the overall set of steps silently.
<li>
- <p>Otherwise, let <var title="">origin</var> be the URI or IRI parsed
- from the <var title="">origin</var> argument. <a
+ <p>Otherwise, let <var title="">targetOrigin</var> be the URI or IRI
+ parsed from the <var title="">targetOrigin</var> argument. <a
href="#refsRFC3490">[RFC3986]</a> <a href="#refsRFC3490">[RFC3987]</a>
<li>
- <p>If <var title="">origin</var> uses a URI scheme that does not have a
- server-based naming authority, then abort the overall set of steps
- silently. <a href="#refsRFC3490">[RFC3986]</a>
+ <p>If <var title="">targetOrigin</var> uses a URI scheme that does not
+ have a server-based naming authority, then abort the overall set of
+ steps silently. <a href="#refsRFC3490">[RFC3986]</a>
<li>
<p>Let <var title="">desired scheme</var> be the <scheme> component
- of <var title="">origin</var>.
+ of <var title="">targetOrigin</var>.
<li>
<p>Let <var title="">desired host</var> be the <host> or <ihost>
- part of <var title="">origin</var>, with the ToAscii algorithm
+ part of <var title="">targetOrigin</var>, with the ToAscii algorithm
applied. <a href="#refsRFC3490">[RFC3490]</a>
<li>
<p>Let <var title="">desired port</var> be the <port> component of
- <var title="">origin</var>, or, if there isn't one, the default port
- for <var title="">desired scheme</var>.
+ <var title="">targetOrigin</var>, or, if there isn't one, the default
+ port for <var title="">desired scheme</var>.
<li>
<p>If <var title="">desired scheme</var> is not the same as the scheme
@@ -38359,6 +38359,11 @@
</ol>
<li>
+ <p>Return from the <code title=dom-window-postMessage><a
+ href="#postmessage">postMessage()</a></code> method, but asynchronously
+ continue running these steps.</p>
+
+ <li>
<p>Create an event that uses the <code><a
href="#messageevent">MessageEvent</a></code> interface, with the event
name <code title=event-message><a href="#message0">message</a></code>,
@@ -38378,30 +38383,31 @@
href="#window">Window</a></code> object of the default view of the
browsing context with which that document is associated.</p>
- <p class=issue>Define 'origin' more exactly -- IDN vs no IDN, effect of
- window.document.domain on its value, etc</p>
+ <p class=big-issue>Define 'origin' more exactly -- IDN vs no IDN (should
+ probably be exposing unicode), effect of window.document.domain on its
+ value, etc</p>
<li>
- <p>Dispatch the event created in the previous step at the <var
- title="">target</var> document.
+ <p>Once the browsing context in which <var title="">target</var> is found
+ has no running scripts, dispatch the event created in the previous step
+ at the <var title="">target</var> document.</p>
+ <!-- XXX define this in
+ terms of the event queue -->
+ <p class=big-isue>Should we instead make this an event that bubbles and
+ fire it at the 'body' element? It seems inconsistent to make it fire on
+ document... Opinions?</p>
</ol>
- <p>The <code title=dom-window-postMessage><a
- href="#postmessage">postMessage()</a></code> method must only return once
- the event dispatch has been completely processed by the target document
- (i.e. all three of the capture, target, and bubble phases have been done,
- and event listeners have been executed as appropriate).
-
<p class=warning>Authors should check the <code
title=dom-MessageEvent-origin><a href="#origin1">origin</a></code>
attribute to ensure that messages are only accepted from domains that they
expect to receive messages from. Otherwise, bugs in the author's message
handling code could be exploited by hostile sites.
- <p class=warning>Authors should include the <var title="">origin</var>
- argument in messages that contain any confidential information, to make
- sure that the message is only delivered to the recipient to which it was
- intended.
+ <p class=warning>Authors should not use the wildcard keyword ("*") in the
+ <var title="">targetOrigin</var> argument in messages that contain any
+ confidential information, as otherwise there is no way to guarantee that
+ the message is only delivered to the recipient to which it was intended.
<div class=example>
<p>For example, if document A contains an <code><a
@@ -38412,7 +38418,7 @@
document A. The script in document A might look like:</p>
<pre>var o = document.getElementsByTagName('object')[0];
-o.contentWindow.postMessage('Hello world');</pre>
+o.contentWindow.postMessage('Hello world', 'http://b.example.org/');</pre>
<p>To register an event handler for incoming events, the script would use
<code title="">addEventListener()</code> (or similar mechanisms). For
Modified: source
===================================================================
--- source 2008-04-24 08:58:57 UTC (rev 1486)
+++ source 2008-04-24 23:59:48 UTC (rev 1487)
@@ -5495,6 +5495,8 @@
title="attr-tabindex">tabindex</code> attribute on the
element.</li>
+ </ul>
+
</dd>
</dl>
@@ -24519,8 +24521,7 @@
<span>Window</span> <span title="dom-open">open</span>(in DOMString url, in DOMString target, in DOMString features, in DOMString replace);
// <span>cross-document messaging</span>
- void <span title="dom-window-postMessage">postMessage</span>(in DOMString message);
- void <span title="dom-window-postMessage">postMessage</span>(in DOMString message, in DOMString origin);
+ void <span title="dom-window-postMessage">postMessage</span>(in DOMString message, in DOMString targetOrigin);
// <span>event handler DOM attributes</span>
attribute <span>EventListener</span> <span title="handler-onabort">onabort</span>;
@@ -35789,8 +35790,8 @@
<p>When a script invokes the <dfn
title="dom-window-postMessage"><code>postMessage(<var
title="">message</var>, <var
- title="">origin</var>)</code></dfn> method on a <code>Window</code>
- object, the user agent must follow these steps:
+ title="">targetOrigin</var>)</code></dfn> method on a
+ <code>Window</code> object, the user agent must follow these steps:
<ol>
@@ -35801,46 +35802,49 @@
<li>
- <p>If the <var title="">origin</var> argument is present and not
- null, run these substeps:</p>
+ <p>If the <var title="">targetOrigin</var> argument has a value
+ other than a single literal U+002A ASTERISK character ("*"), run
+ these substeps:</p>
<ol>
- <li><p>If the value of the <var title="">origin</var> argument is
- not a valid URI or IRI, then throw a <code>SYNTAX_ERR</code>
- exception and abort the overall set of steps. <a
- href="#refsRFC3490">[RFC3986]</a> <a
+ <li><p>If the value of the <var title="">targetOrigin</var>
+ argument is not a valid URI or IRI, then throw a
+ <code>SYNTAX_ERR</code> exception and abort the overall set of
+ steps. <a href="#refsRFC3490">[RFC3986]</a> <a
href="#refsRFC3490">[RFC3987]</a></p></li>
<li><p>If the <span>origin</span> of the <var
title="">target</var> document is not a scheme/host/port tuple,
then abort the overall set of steps silently.</p></li>
- <li><p>Otherwise, let <var title="">origin</var> be the URI or
- IRI parsed from the <var title="">origin</var> argument. <a
- href="#refsRFC3490">[RFC3986]</a> <a
+ <li><p>Otherwise, let <var title="">targetOrigin</var> be the URI
+ or IRI parsed from the <var title="">targetOrigin</var>
+ argument. <a href="#refsRFC3490">[RFC3986]</a> <a
href="#refsRFC3490">[RFC3987]</a></p></li>
- <li><p>If <var title="">origin</var> uses a URI scheme that does
- not have a server-based naming authority, then abort the overall
- set of steps silently. <a
+ <li><p>If <var title="">targetOrigin</var> uses a URI scheme that
+ does not have a server-based naming authority, then abort the
+ overall set of steps silently. <a
href="#refsRFC3490">[RFC3986]</a></p></li>
<li><p>Let <var title="">desired scheme</var> be the <scheme>
- component of <var title="">origin</var>.</p></li>
+ component of <var title="">targetOrigin</var>.</p></li>
<li><p>Let <var title="">desired host</var> be the <host> or
- <ihost> part of <var title="">origin</var>, with the ToAscii
- algorithm applied. <a href="#refsRFC3490">[RFC3490]</a></p></li>
+ <ihost> part of <var title="">targetOrigin</var>, with the
+ ToAscii algorithm applied. <a
+ href="#refsRFC3490">[RFC3490]</a></p></li>
<li><p>Let <var title="">desired port</var> be the <port>
- component of <var title="">origin</var>, or, if there isn't one,
- the default port for <var title="">desired scheme</var>.</p></li>
+ component of <var title="">targetOrigin</var>, or, if there isn't
+ one, the default port for <var title="">desired
+ scheme</var>.</p></li>
<li><p>If <var title="">desired scheme</var> is not the same as
the scheme component of the <span>origin</span> of the <var
- title="">target</var> document, then abort the overall set of steps
- silently.</p></li>
+ title="">target</var> document, then abort the overall set of
+ steps silently.</p></li>
<li><p>If <var title="">desired host</var> is not the same as the
host component of the <span>origin</span> of the <var
@@ -35859,6 +35863,14 @@
<li>
+ <p>Return from the <code
+ title="dom-window-postMessage">postMessage()</code> method, but
+ asynchronously continue running these steps.</p>
+
+ </li>
+
+ <li>
+
<p>Create an event that uses the <code>MessageEvent</code>
interface, with the event name <code
title="event-message">message</code>, which does not bubble, is
@@ -35875,32 +35887,37 @@
set to the <code>Window</code> object of the default view of the
browsing context with which that document is associated.</p>
- <p class="issue">Define 'origin' more exactly -- IDN vs no IDN,
- effect of window.document.domain on its value, etc</p>
+ <p class="big-issue">Define 'origin' more exactly -- IDN vs no IDN
+ (should probably be exposing unicode), effect of
+ window.document.domain on its value, etc</p>
</li>
- <li><p>Dispatch the event created in the previous step at the <var
- title="">target</var> document.</p></li>
+ <li><p>Once the browsing context in which <var
+ title="">target</var> is found has no running scripts, dispatch the
+ event created in the previous step at the <var
+ title="">target</var> document.</p> <!-- XXX define this in
+ terms of the event queue -->
+ <p class="big-isue">Should we instead make this an event that
+ bubbles and fire it at the 'body' element? It seems inconsistent to
+ make it fire on document... Opinions?</p>
+
+ </li>
+
</ol>
- <p>The <code title="dom-window-postMessage">postMessage()</code>
- method must only return once the event dispatch has been completely
- processed by the target document (i.e. all three of the capture,
- target, and bubble phases have been done, and event listeners have
- been executed as appropriate).</p>
-
<p class="warning">Authors should check the <code
title="dom-MessageEvent-origin">origin</code> attribute to ensure
that messages are only accepted from domains that they expect to
receive messages from. Otherwise, bugs in the author's message
handling code could be exploited by hostile sites.</p>
- <p class="warning">Authors should include the <var
- title="">origin</var> argument in messages that contain any
- confidential information, to make sure that the message is only
- delivered to the recipient to which it was intended.</p>
+ <p class="warning">Authors should not use the wildcard keyword ("*")
+ in the <var title="">targetOrigin</var> argument in messages that
+ contain any confidential information, as otherwise there is no way
+ to guarantee that the message is only delivered to the recipient to
+ which it was intended.</p>
<div class="example">
@@ -35912,7 +35929,7 @@
might look like:</p>
<pre>var o = document.getElementsByTagName('object')[0];
-o.contentWindow.postMessage('Hello world');</pre>
+o.contentWindow.postMessage('Hello world', 'http://b.example.org/');</pre>
<p>To register an event handler for incoming events, the script
would use <code title="">addEventListener()</code> (or similar
More information about the Commit-Watchers
mailing list