[whatwg] A potential slight security enhancement to postMessage

Aaron Boodman aa at google.com
Thu Jan 31 08:56:30 PST 2008


On Thu, Jan 31, 2008 at 4:25 AM, Jeff Walden <jwalden+whatwg at mit.edu> wrote:
> Maciej Stachowiak wrote:
>  > The more convenient version of that would be to require clients to
>  > describe allowed senders when registering for the event in some way.
>
>  I thought about this, but then we necessarily lose the familiarity of the standard event-listener registration process, which outweighs the convenience in my book.

Not necessarily. You could do something like this:

window.createMessageReceiver("http://www.google.com")
    .addEventListener("post-message", function() {
  ...
}, fase);

Could probably come up with a better method name, and I forget the
name of the event to use with PostMessage, but I hope you get the
idea.

I like Maciej's suggestion of making it a natural part of the
interface. If you tell people they have to read x property before y
property, they will just do:

// spec says we have to read this first
var foo = event.domain;
alert(event.message);

- a



More information about the whatwg mailing list