[whatwg] postMessage's target origin argument can be a full URL in some implementations

Hallvord R M Steen hallvors at gmail.com
Wed Jul 14 15:40:08 PDT 2010

the way I read the spec, the target origin argument for
window.postMessage should be a protocol, host name and optionally port
number - in other words

window.postMessage( 'foo', 'http://www.example.com' )
window.postMessage( 'foo', 'http://www.example.com:81' )

However, it has come to my attention that both WebKit and Gecko's
implementation of postMessage() allows a full URL with path:

window.postMessage( 'foo', 'http://www.example.com/path/goes/here/' )

Isn't this a violation of the spec?

My personal opinion is that protocol+host+port is better, simply
because authors might assume the path is significant (i.e. think that
'http://www.geocities.com/foo' and 'http://www.geocities.com/bar'
would be different origins). Allowing paths that are simply ignored
might muddle the "origin" concept - not a major problem, but a small
potential point of confusion.

Opera follows the spec (as I read it) and throws an exception if a URL
with a path is used, but I've recently come across two different
scripts breaking in Opera because of this issue. I think it's very
important to get this clarified and hopefully fixed in WebKit and
Gecko before usage is too common and we have to modify the spec to
allow it :-(. (We're already discussing fixes with the two broken

Any comments from Mozilla and WebKit developers on the list?

P.S.: we reported some bugs for you, in case you agree with our
reading and want to fix it :-)

Hallvord R. M. Steen

More information about the whatwg mailing list