[whatwg] postMessage's target origin argument can be a full URL in some implementations
Boris Zbarsky
bzbarsky at MIT.EDU
Wed Jul 14 17:18:33 PDT 2010
On 7/14/10 6:40 PM, Hallvord R M Steen wrote:
> My personal opinion is that protocol+host+port is better, simply
> because authors might assume the path is significant (i.e. think that
> 'http://www.geocities.com/foo' and 'http://www.geocities.com/bar'
> would be different origins). Allowing paths that are simply ignored
> might muddle the "origin" concept - not a major problem, but a small
> potential point of confusion.
I've actually used urls with a path for the origin; specifically when I
wanted to pass in "the origin of this page". In particular, I passed in
location.href.
I'm fine with removing the ability to pass in a path _if_ we create a
simple way for scripts to get origins from pages which can then be
passed for this argument. The alternative is that scripts will be
parsing location.href themselves to extract the thing to pass as the
origin string, which is just asking for security fail in my experience.
-Boris
More information about the whatwg
mailing list