[whatwg] postMessage's target origin argument can be a full URL in some implementations
bzbarsky at MIT.EDU
Thu Jul 15 04:38:49 PDT 2010
On 7/15/10 3:40 AM, Simon Pieters wrote:
> The simple way to pass in the current origin, per spec, is to use the
> string "/".
Sounds like yet another spec change? Gecko certainly doesn't support
that, so it wasn't in the spec when we implemented...
>> The alternative is that scripts will be parsing location.href
>> themselves to extract the thing to pass as the origin string, which is
>> just asking for security fail in my experience.
> Even without the special string "/", a simple enough way to construct
> the origin is location.protocol+"//"+location.host.
Thanks for an _excellent_ illustration of my point.
Your code will happily pass in strings like "about://" for about:blank,
"jar://example.com" for "jar:http://example.com/!" (when the correct
origin is "http://example.com/", etc. It's _exactly_ the sort of naive
"everything is http" URI parsing that will get you in trouble in edge cases.
More information about the whatwg