Bug 42170

Summary:	postMessage() second argument should not accept full URL
Product:	WebKit	Reporter:	Anne van Kesteren <annevk>
Component:	DOM	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED INVALID
Severity:	Normal	CC:	ap, ian, mike, shadow2531
Priority:	P2
Version:	528+ (Nightly build)
Hardware:	All
OS:	All
URL:	javascript:var url="http://www.example.com/test",win=window.open(url);try{win.postMessage("test",url);alert("FAIL")}catch(e){alert("PASS")}

Anne van Kesteren

Reported 2010-07-13 09:19:51 PDT

Per HTML5 http://www.whatwg.org/specs/web-apps/current-work/complete/web-messaging.html#dom-window-postmessage postMessage() should throw if targetOrigin contains a path component.

Attachments
Add attachment proposed patch, testcase, etc.

Anne van Kesteren

Comment 1 2010-07-13 09:23:39 PDT

See also: https://bugzilla.mozilla.org/show_bug.cgi?id=578380

Alexey Proskuryakov

Comment 2 2010-07-13 09:45:43 PDT

Anne, do you know if there is a good reason for this requirement? Ignoring unnecessary components seems cleaner in general.

Anne van Kesteren

Comment 3 2010-07-13 09:54:47 PDT

Authors might otherwise mistakenly believe they get more protection than they actually do. To me it seems cleaner to reject everything that is not an origin.

Alexey Proskuryakov

Comment 4 2010-07-13 10:14:08 PDT

In general, we strongly dislike raising exceptions where they weren't raised before, since that tends to transform minor/potential mistakes into serious breakage of functionality on existing pages.

Ian 'Hixie' Hickson

Comment 5 2010-08-10 18:11:28 PDT

The spec has changed.

Alexey Proskuryakov

Comment 6 2010-08-10 22:41:58 PDT

Thanks. This seems invalid per the new spec.

Note You need to log in before you can comment on or make changes to this bug.