[whatwg] [Cross-document messaging] Restrictions on targetOrigin
Ian Hickson
ian at hixie.ch
Thu Jun 14 17:06:43 PDT 2012
On Fri, 10 Feb 2012, João Eiras wrote:
>
> Step 1 of the spec [1] for postMessage says:
>
> "1. If the value of the targetOrigin argument is neither a single U+002A
> ASTERISK character (*), a single U+002F SOLIDUS character (/), nor an
> absolute URL, then throw a SyntaxError exception and abort the overall
> set of steps."
>
> The absolute URL part will create problems when the origin of the
> scripting environment does not serialize to an absolute URL.
>
> For instance, if you have two documents A and B in a non http context,
> where typically the origin will be "null", like file: or data:, and post
> a message from A to B, B will receive a message event which event.origin
> property has a value of "null". If the listener then does
>
> # event.source.postMessage(reply, event.origin)
>
> (which is a code snippet easily found in online tutorials) step 1 causes
> that call to fail with a SYNTAX_ERR exception.
>
> Step 1 should be changed to instead of referring to an absolute URI,
> refer to a valid origin, as serialized by the origin serialization
> algorithm.
If the origin doesn't serialise to an absolute URL, then we don't have a
way to check it (they're all "null"). So I don't think that works. That's
why it always throws SYNTAX_ERR for "null" origins.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list