[whatwg] postMessage's target origin argument can be a full URL in some implementations

Adam Barth w3c at adambarth.com
Wed Jul 14 18:45:04 PDT 2010


On Wed, Jul 14, 2010 at 5:18 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 7/14/10 6:40 PM, Hallvord R M Steen wrote:
>>
>> My personal opinion is that protocol+host+port is better, simply
>> because authors might assume the path is significant (i.e. think that
>> 'http://www.geocities.com/foo' and 'http://www.geocities.com/bar'
>> would be different origins). Allowing paths that are simply ignored
>> might muddle the "origin" concept - not a major problem, but a small
>> potential point of confusion.
>
> I've actually used urls with a path for the origin; specifically when I
> wanted to pass in "the origin of this page".  In particular, I passed in
> location.href.
>
> I'm fine with removing the ability to pass in a path _if_ we create a simple
> way for scripts to get origins from pages which can then be passed for this
> argument.  The alternative is that scripts will be parsing location.href
> themselves to extract the thing to pass as the origin string, which is just
> asking for security fail in my experience.

Personally, I think we should stop screwing with postMessage and let
it be a stable enough API that folks can rely upon it.

Adam



More information about the whatwg mailing list