[whatwg] postMessage's target origin argument can be a full URL in some implementations

Adam Barth w3c at adambarth.com
Mon Jul 19 10:22:04 PDT 2010


On Mon, Jul 19, 2010 at 5:56 AM, Hallvord R M Steen <hallvors at gmail.com> wrote:
> 2010/7/15 Adam Barth <w3c at adambarth.com>:
>>  So, I'd prefer
>> that we didn't change APIs after shipping them unless necessary.  If
>> we keep changing shipping APIs, we'll exhaust early adopters, which is
>> bad for the ecosystem.
>
> I agree with that in general, however it makes things harder that this
> is an issue that might have security implications.

That's a pretty big stretch.  If I were to rate this as a security
vulnerability, I'd rate it as SecSeverity-None, which means I wouldn't
even issue an advisory for it.

> Opera hit this incompatibility on two sites. One is
> http://www.studivz.net , the other one is Facebook (we've asked both
> sites to fix the problem and referred them to the HTML5 spec).

I'm sure that's just the tip of the iceberg.  The trade-offs here seem
to indicate that we should align the spec with the implementations
rather than the other way around.

> My gut feeling is that if you fix this quickly we could avoid usage
> spreading even more on the web.

By quickly, you mean after multiple major releases?

Adam



More information about the whatwg mailing list