[whatwg] postMessage's target origin argument can be a full URL in some implementations
Simon Pieters
simonp at opera.com
Thu Jul 15 00:40:50 PDT 2010
On Thu, 15 Jul 2010 02:18:33 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 7/14/10 6:40 PM, Hallvord R M Steen wrote:
>> My personal opinion is that protocol+host+port is better, simply
>> because authors might assume the path is significant (i.e. think that
>> 'http://www.geocities.com/foo' and 'http://www.geocities.com/bar'
>> would be different origins). Allowing paths that are simply ignored
>> might muddle the "origin" concept - not a major problem, but a small
>> potential point of confusion.
>
> I've actually used urls with a path for the origin; specifically when I
> wanted to pass in "the origin of this page". In particular, I passed in
> location.href.
>
> I'm fine with removing the ability to pass in a path _if_ we create a
> simple way for scripts to get origins from pages which can then be
> passed for this argument.
The simple way to pass in the current origin, per spec, is to use the
string "/".
> The alternative is that scripts will be parsing location.href themselves
> to extract the thing to pass as the origin string, which is just asking
> for security fail in my experience.
Even without the special string "/", a simple enough way to construct the
origin is location.protocol+"//"+location.host.
--
Simon Pieters
Opera Software
More information about the whatwg
mailing list