Summary: | postMessage() second argument should not accept full URL | ||
---|---|---|---|
Product: | WebKit | Reporter: | Anne van Kesteren <annevk> |
Component: | DOM | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED INVALID | ||
Severity: | Normal | CC: | ap, ian, mike, shadow2531 |
Priority: | P2 | ||
Version: | 528+ (Nightly build) | ||
Hardware: | All | ||
OS: | All | ||
URL: | javascript:var url="http://www.example.com/test",win=window.open(url);try{win.postMessage("test",url);alert("FAIL")}catch(e){alert("PASS")} |
Description
Anne van Kesteren
2010-07-13 09:19:51 PDT
Anne, do you know if there is a good reason for this requirement? Ignoring unnecessary components seems cleaner in general. Authors might otherwise mistakenly believe they get more protection than they actually do. To me it seems cleaner to reject everything that is not an origin. In general, we strongly dislike raising exceptions where they weren't raised before, since that tends to transform minor/potential mistakes into serious breakage of functionality on existing pages. The spec has changed. Thanks. This seems invalid per the new spec. |