[whatwg] A potential slight security enhancement to postMessage

Jeff Walden jwalden+whatwg at MIT.EDU
Fri Feb 1 20:25:19 PST 2008

Aaron Boodman wrote:
> Not necessarily. You could do something like this:
> window.createMessageReceiver("http://www.google.com")
>     .addEventListener("post-message", function() {
>   ...
> }, fase);
> Could probably come up with a better method name, and I forget the
> name of the event to use with PostMessage, but I hope you get the
> idea.

Ah, yes, hadn't given it enough thought to think of that idea.  Adding yet another object type to the HTML5 system seems suboptimal, but it would address the problem.  A whitespace-separated string of URIs (or prefixes?  or domains?  domains is least complicated but doesn't address protocol, and possibly not port) seems like a reasonable way to do it.

> If you tell people they have to read x property before y
> property, they will just do:
> // spec says we have to read this first
> var foo = event.domain;
> alert(event.message);

That'd be the fear, yes.  It depends to an extent on how the documentation's worded, which is the problem this is originally trying to avoid.


More information about the whatwg mailing list