Ian updated the HTML 5 spec to use "null" instead of the empty string when the browser can't serialize the current origin. This means we can get rid of SecurityOrigin::toHTTPOrigin() and just use SecurityOrigin::toString() for both postMessage and XMLHttpRequest.
Patch forthcoming.
Created attachment 24554 [details] Patch Yay for merging these functions.
Fixed in http://trac.webkit.org/changeset/37805