[whatwg] [Cross-document messaging] Restrictions on targetOrigin

Ian Hickson ian at hixie.ch
Thu Jun 14 17:06:43 PDT 2012

On Fri, 10 Feb 2012, João Eiras wrote:
> Step 1 of the spec [1] for postMessage says:
> "1. If the value of the targetOrigin argument is neither a single U+002A 
> ASTERISK character (*), a single U+002F SOLIDUS character (/), nor an 
> absolute URL, then throw a SyntaxError exception and abort the overall 
> set of steps."
> The absolute URL part will create problems when the origin of the 
> scripting environment does not serialize to an absolute URL.
> For instance, if you have two documents A and B in a non http context, 
> where typically the origin will be "null", like file: or data:, and post 
> a message from A to B, B will receive a message event which event.origin 
> property has a value of "null". If the listener then does
> # event.source.postMessage(reply, event.origin)
> (which is a code snippet easily found in online tutorials) step 1 causes 
> that call to fail with a SYNTAX_ERR exception.
> Step 1 should be changed to instead of referring to an absolute URI, 
> refer to a valid origin, as serialized by the origin serialization 
> algorithm.

If the origin doesn't serialise to an absolute URL, then we don't have a 
way to check it (they're all "null"). So I don't think that works. That's 
why it always throws SYNTAX_ERR for "null" origins.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list