[whatwg] IE Team Feedback on HTML 5.0 Cross Document Messaging

Jeff Walden jwalden+whatwg at MIT.EDU
Fri Apr 4 10:54:55 PDT 2008


Sunava Dutta wrote:
> ·        The language in http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html overpromises the security of this feature and we recommend a revision. The current language implies that cross site scripting attacks are not possible. This is not correct since a developer can receive script from a postmessage and run it in the DOM.

I don't really think it's an overpromise, but there's nothing wrong with paranoia (I've already clearly indicted myself with <http://developer.mozilla.org/en/docs/DOM:window.postMessage> :-) ).  I wouldn't add it myself, but if people are more comfortable with it than with the current wording, no complaints here.


> ·        We’re glad to see the e.URI gone. It exposed too much potentially dangerous information.

No complaints there, once I read the rationale behind the change.


> ·       For the postMessage (message, origin) method we would recommend the parameter be called postMessage(message, targetOrigin) since it’s easier to understand what it is.

No complaints here either.


> Here’s our rewrite!

Thanks for the feedback!

Jeff




More information about the whatwg mailing list