[whatwg] A potential slight security enhancement to postMessage
Jeff Walden
jwalden+whatwg at MIT.EDU
Fri Feb 1 20:25:19 PST 2008
Aaron Boodman wrote:
> Not necessarily. You could do something like this:
>
> window.createMessageReceiver("http://www.google.com")
> .addEventListener("post-message", function() {
> ...
> }, fase);
>
> Could probably come up with a better method name, and I forget the
> name of the event to use with PostMessage, but I hope you get the
> idea.
Ah, yes, hadn't given it enough thought to think of that idea. Adding yet another object type to the HTML5 system seems suboptimal, but it would address the problem. A whitespace-separated string of URIs (or prefixes? or domains? domains is least complicated but doesn't address protocol, and possibly not port) seems like a reasonable way to do it.
> If you tell people they have to read x property before y
> property, they will just do:
>
> // spec says we have to read this first
> var foo = event.domain;
> alert(event.message);
That'd be the fear, yes. It depends to an extent on how the documentation's worded, which is the problem this is originally trying to avoid.
Jeff
More information about the whatwg
mailing list