[whatwg] postMessage's target origin argument can be a full URL in some implementations

Boris Zbarsky bzbarsky at MIT.EDU
Wed Jul 14 17:18:33 PDT 2010


On 7/14/10 6:40 PM, Hallvord R M Steen wrote:
> My personal opinion is that protocol+host+port is better, simply
> because authors might assume the path is significant (i.e. think that
> 'http://www.geocities.com/foo' and 'http://www.geocities.com/bar'
> would be different origins). Allowing paths that are simply ignored
> might muddle the "origin" concept - not a major problem, but a small
> potential point of confusion.

I've actually used urls with a path for the origin; specifically when I 
wanted to pass in "the origin of this page".  In particular, I passed in 
location.href.

I'm fine with removing the ability to pass in a path _if_ we create a 
simple way for scripts to get origins from pages which can then be 
passed for this argument.  The alternative is that scripts will be 
parsing location.href themselves to extract the thing to pass as the 
origin string, which is just asking for security fail in my experience.

-Boris



More information about the whatwg mailing list