[whatwg] postMessage's target origin argument can be a full URL in some implementations
jonas at sicking.cc
Wed Jul 14 15:45:14 PDT 2010
On Wed, Jul 14, 2010 at 3:40 PM, Hallvord R M Steen <hallvors at gmail.com> wrote:
> the way I read the spec, the target origin argument for
> window.postMessage should be a protocol, host name and optionally port
> number - in other words
> window.postMessage( 'foo', 'http://www.example.com' )
> window.postMessage( 'foo', 'http://www.example.com:81' )
> However, it has come to my attention that both WebKit and Gecko's
> implementation of postMessage() allows a full URL with path:
> window.postMessage( 'foo', 'http://www.example.com/path/goes/here/' )
> Isn't this a violation of the spec?
> My personal opinion is that protocol+host+port is better, simply
> because authors might assume the path is significant (i.e. think that
> 'http://www.geocities.com/foo' and 'http://www.geocities.com/bar'
> would be different origins). Allowing paths that are simply ignored
> might muddle the "origin" concept - not a major problem, but a small
> potential point of confusion.
> Opera follows the spec (as I read it) and throws an exception if a URL
> with a path is used, but I've recently come across two different
> scripts breaking in Opera because of this issue. I think it's very
> important to get this clarified and hopefully fixed in WebKit and
> Gecko before usage is too common and we have to modify the spec to
> allow it :-(. (We're already discussing fixes with the two broken
> Any comments from Mozilla and WebKit developers on the list?
> P.S.: we reported some bugs for you, in case you agree with our
> reading and want to fix it :-)
My understanding is that this was a requirement from the spec. An
unfortunate one at that. However when I found out it was too late to
get the spec changed as multiple implementations had already shipped.
More information about the whatwg