[whatwg] Fixing two security vulnerabilities in registerProtocolHandler

Boris Zbarsky bzbarsky at MIT.EDU
Mon Sep 26 11:48:18 PDT 2011


On 9/26/11 2:09 PM, Tyler Close wrote:
> AFAICT, there is no API that the intent handler can
> reliably use to determine the correct targetOrigin for this
> postMessage invocation.

That's correct, though as long as you don't use too much in the way of 
about:blank or javascript: or data: URIs, passing window.location.href 
will do the right thing.

> I suggest fixing this problem by adding a new
> readonly DOMString that contains the correct origin for the
> postMessage invocation; perhaps document.origin.

I would be somewhat in favor of this.

-Boris



More information about the whatwg mailing list