[whatwg] Fixing two security vulnerabilities in registerProtocolHandler
Boris Zbarsky
bzbarsky at MIT.EDU
Mon Sep 26 11:48:18 PDT 2011
On 9/26/11 2:09 PM, Tyler Close wrote:
> AFAICT, there is no API that the intent handler can
> reliably use to determine the correct targetOrigin for this
> postMessage invocation.
That's correct, though as long as you don't use too much in the way of
about:blank or javascript: or data: URIs, passing window.location.href
will do the right thing.
> I suggest fixing this problem by adding a new
> readonly DOMString that contains the correct origin for the
> postMessage invocation; perhaps document.origin.
I would be somewhat in favor of this.
-Boris
More information about the whatwg
mailing list