[whatwg] postMessage's target origin argument can be a full URL in some implementations

Hallvord R M Steen hallvors at gmail.com
Mon Jul 19 05:56:01 PDT 2010

2010/7/15 Adam Barth <w3c at adambarth.com>:

>>> Personally, I think we should stop screwing with postMessage and let
>>> it be a stable enough API that folks can rely upon it.
>> Screwing with the spec, or with implementations?  The spec, as currently
>> written, is not compatible with the majority of shipped implementations....
> The implementations were compatible with the spec when the
> implementations were written, as far as I remember.

I have no idea when other implementations of postMessage() were
written. However, "throw an exception if targetOrigin has a
path/query/fragment" is a spec requirement since October 2008
according to this change:

It seems only implemented correctly in Opera (have not tested IE though).

>  So, I'd prefer
> that we didn't change APIs after shipping them unless necessary.  If
> we keep changing shipping APIs, we'll exhaust early adopters, which is
> bad for the ecosystem.

I agree with that in general, however it makes things harder that this
is an issue that might have security implications.

Opera hit this incompatibility on two sites. One is
http://www.studivz.net , the other one is Facebook (we've asked both
sites to fix the problem and referred them to the HTML5 spec).
Aditionally, Boris stated he has written such scripts himself.
Facebook uses it in a "clever" way to actually pass on some GUID/data
in the path, which will presumably appear in e.origin in the message

My gut feeling is that if you fix this quickly we could avoid usage
spreading even more on the web. However, we have a patch ready to go
to align Opera's implementation with yours, in case you want to keep
it and get Ian to change the spec.

Hallvord R. M. Steen

More information about the whatwg mailing list