[whatwg] postMessage's target origin argument can be a full URL in some implementations

Boris Zbarsky bzbarsky at MIT.EDU
Thu Jul 15 04:38:49 PDT 2010


On 7/15/10 3:40 AM, Simon Pieters wrote:
> The simple way to pass in the current origin, per spec, is to use the
> string "/".

Sounds like yet another spec change?  Gecko certainly doesn't support 
that, so it wasn't in the spec when we implemented...

>> The alternative is that scripts will be parsing location.href
>> themselves to extract the thing to pass as the origin string, which is
>> just asking for security fail in my experience.
>
> Even without the special string "/", a simple enough way to construct
> the origin is location.protocol+"//"+location.host.

Thanks for an _excellent_ illustration of my point.

Your code will happily pass in strings like "about://" for about:blank, 
"jar://example.com" for "jar:http://example.com/!" (when the correct 
origin is "http://example.com/", etc.  It's _exactly_ the sort of naive 
"everything is http" URI parsing that will get you in trouble in edge cases.

-Boris



More information about the whatwg mailing list