[whatwg] Fixing two security vulnerabilities in registerProtocolHandler
Jonas Sicking
jonas at sicking.cc
Tue Sep 27 00:44:25 PDT 2011
On Mon, Sep 26, 2011 at 11:48 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 9/26/11 2:09 PM, Tyler Close wrote:
>> I suggest fixing this problem by adding a new
>> readonly DOMString that contains the correct origin for the
>> postMessage invocation; perhaps document.origin.
>
> I would be somewhat in favor of this.
Yeah, this seems like a good idea. Given how often we use origins
internally, I would be surprised if this isn't something that pages
need to do too.
/ Jonas
More information about the whatwg
mailing list