[whatwg] IE Team Feedback on HTML 5.0 Cross Document Messaging
Jeff Walden
jwalden+whatwg at MIT.EDU
Fri Apr 4 10:54:55 PDT 2008
Sunava Dutta wrote:
> · The language in http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html overpromises the security of this feature and we recommend a revision. The current language implies that cross site scripting attacks are not possible. This is not correct since a developer can receive script from a postmessage and run it in the DOM.
I don't really think it's an overpromise, but there's nothing wrong with paranoia (I've already clearly indicted myself with <http://developer.mozilla.org/en/docs/DOM:window.postMessage> :-) ). I wouldn't add it myself, but if people are more comfortable with it than with the current wording, no complaints here.
> · We’re glad to see the e.URI gone. It exposed too much potentially dangerous information.
No complaints there, once I read the rationale behind the change.
> · For the postMessage (message, origin) method we would recommend the parameter be called postMessage(message, targetOrigin) since it’s easier to understand what it is.
No complaints here either.
> Here’s our rewrite!
Thanks for the feedback!
Jeff
More information about the whatwg
mailing list