[whatwg] postMessage's target origin argument can be a full URL in some implementations
Adam Barth
w3c at adambarth.com
Mon Jul 19 10:22:04 PDT 2010
On Mon, Jul 19, 2010 at 5:56 AM, Hallvord R M Steen <hallvors at gmail.com> wrote:
> 2010/7/15 Adam Barth <w3c at adambarth.com>:
>> So, I'd prefer
>> that we didn't change APIs after shipping them unless necessary. If
>> we keep changing shipping APIs, we'll exhaust early adopters, which is
>> bad for the ecosystem.
>
> I agree with that in general, however it makes things harder that this
> is an issue that might have security implications.
That's a pretty big stretch. If I were to rate this as a security
vulnerability, I'd rate it as SecSeverity-None, which means I wouldn't
even issue an advisory for it.
> Opera hit this incompatibility on two sites. One is
> http://www.studivz.net , the other one is Facebook (we've asked both
> sites to fix the problem and referred them to the HTML5 spec).
I'm sure that's just the tip of the iceberg. The trade-offs here seem
to indicate that we should align the spec with the implementations
rather than the other way around.
> My gut feeling is that if you fix this quickly we could avoid usage
> spreading even more on the web.
By quickly, you mean after multiple major releases?
Adam
More information about the whatwg
mailing list