[whatwg] postMessage's target origin argument can be a full URL in some implementations
simonp at opera.com
Thu Jul 15 05:13:02 PDT 2010
On Thu, 15 Jul 2010 13:38:49 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 7/15/10 3:40 AM, Simon Pieters wrote:
>> The simple way to pass in the current origin, per spec, is to use the
>> string "/".
> Sounds like yet another spec change? Gecko certainly doesn't support
> that, so it wasn't in the spec when we implemented...
Do you think the special value "/" is a good enough replacement for
location.href as the targetOrigin to remove the ability to pass in a path
>>> The alternative is that scripts will be parsing location.href
>>> themselves to extract the thing to pass as the origin string, which is
>>> just asking for security fail in my experience.
>> Even without the special string "/", a simple enough way to construct
>> the origin is location.protocol+"//"+location.host.
> Thanks for an _excellent_ illustration of my point.
> Your code will happily pass in strings like "about://" for about:blank,
> "jar://example.com" for "jar:http://example.com/!" (when the correct
> origin is "http://example.com/", etc. It's _exactly_ the sort of naive
> "everything is http" URI parsing that will get you in trouble in edge
More information about the whatwg