[whatwg] Fixing two security vulnerabilities in registerProtocolHandler

Jonas Sicking jonas at sicking.cc
Tue Sep 27 00:44:25 PDT 2011

On Mon, Sep 26, 2011 at 11:48 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 9/26/11 2:09 PM, Tyler Close wrote:
>> I suggest fixing this problem by adding a new
>> readonly DOMString that contains the correct origin for the
>> postMessage invocation; perhaps document.origin.
> I would be somewhat in favor of this.

Yeah, this seems like a good idea. Given how often we use origins
internally, I would be surprised if this isn't something that pages
need to do too.

/ Jonas

More information about the whatwg mailing list