Bug 42170

Summary: postMessage() second argument should not accept full URL
Product: WebKit Reporter: Anne van Kesteren <annevk>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Normal CC: ap, ian, mike, shadow2531
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: javascript:var url="http://www.example.com/test",win=window.open(url);try{win.postMessage("test",url);alert("FAIL")}catch(e){alert("PASS")}

Description Anne van Kesteren 2010-07-13 09:19:51 PDT 
Per HTML5 http://www.whatwg.org/specs/web-apps/current-work/complete/web-messaging.html#dom-window-postmessage postMessage() should throw if targetOrigin contains a path component.
Comment 1 Anne van Kesteren 2010-07-13 09:23:39 PDT 
See also: https://bugzilla.mozilla.org/show_bug.cgi?id=578380
Comment 2 Alexey Proskuryakov 2010-07-13 09:45:43 PDT 
Anne, do you know if there is a good reason for this requirement? Ignoring unnecessary components seems cleaner in general.
Comment 3 Anne van Kesteren 2010-07-13 09:54:47 PDT 
Authors might otherwise mistakenly believe they get more protection than they actually do. To me it seems cleaner to reject everything that is not an origin.
Comment 4 Alexey Proskuryakov 2010-07-13 10:14:08 PDT 
In general, we strongly dislike raising exceptions where they weren't raised before, since that tends to transform minor/potential mistakes into serious breakage of functionality on existing pages.
Comment 5 Ian 'Hixie' Hickson 2010-08-10 18:11:28 PDT 
The spec has changed.
Comment 6 Alexey Proskuryakov 2010-08-10 22:41:58 PDT 
Thanks. This seems invalid per the new spec.