[whatwg] A potential slight security enhancement to postMessage
Aaron Boodman
aa at google.com
Thu Jan 31 08:56:30 PST 2008
On Thu, Jan 31, 2008 at 4:25 AM, Jeff Walden <jwalden+whatwg at mit.edu> wrote:
> Maciej Stachowiak wrote:
> > The more convenient version of that would be to require clients to
> > describe allowed senders when registering for the event in some way.
>
> I thought about this, but then we necessarily lose the familiarity of the standard event-listener registration process, which outweighs the convenience in my book.
Not necessarily. You could do something like this:
window.createMessageReceiver("http://www.google.com")
.addEventListener("post-message", function() {
...
}, fase);
Could probably come up with a better method name, and I forget the
name of the event to use with PostMessage, but I hope you get the
idea.
I like Maciej's suggestion of making it a natural part of the
interface. If you tell people they have to read x property before y
property, they will just do:
// spec says we have to read this first
var foo = event.domain;
alert(event.message);
- a
More information about the whatwg
mailing list