Skip to content
Permalink
Browse files
[agiow] (2) Change postMessage()'s targetOrigin argument to not actua…
…lly resolve but to just treat '/' specially. This will mean that targetOrigin can no longer be in the form '//example.com/' and can no longer be the empty string.

Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=8490

git-svn-id: http://svn.whatwg.org/webapps@4720 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information
Hixie committed Feb 14, 2010
1 parent 2754845 commit 733c32735351936f071d7f716cab7161710fa1d4
Show file tree
Hide file tree
Showing 3 changed files with 126 additions and 65 deletions.
@@ -68368,7 +68368,9 @@ <h4 id=posting-messages><span class=secno>10.4.3 </span>Posting messages</h4>
<p>If the origin of the target window doesn't match the given
origin, the message is discarded, to avoid information leakage. To
send the message to the target regardless of origin, set the
target origin to "<code title="">*</code>".</p>
target origin to "<code title="">*</code>". To restrict the
message to same-origin targets only, without needing to explicitly
state the origin, set the target origin to "<code title="">/</code>".</p>

<p>Throws an <code><a href=#invalid_state_err>INVALID_STATE_ERR</a></code> if the <var title="">ports</var> array is not null and it contains either null
entries or duplicate ports.</p>
@@ -68384,11 +68386,10 @@ <h4 id=posting-messages><span class=secno>10.4.3 </span>Posting messages</h4>
<ol><li>

<p>If the value of the <var title="">targetOrigin</var> argument
is not a single U+002A ASTERISK character (*), and <a href=#resolve-a-url title="resolve a url">resolving</a> it relative to the
<a href=#entry-script>entry script</a>'s <a href="#script's-base-url" title="script's base URL">base
URL</a> either fails or results in a <a href=#url>URL</a> with a
is neither a single U+002A ASTERISK character (*), a single U+002F
SOLIDUS character (/), nor an <a href=#absolute-url>absolute URL</a> with a
<code title=url-host-specific><a href=#url-host-specific>&lt;host-specific&gt;</a></code>
component that is neither empty nor a single U+002F SOLIDUS
component that is either empty or a single U+002F SOLIDUS
character (/), then throw a <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception and
abort the overall set of steps.</p>

@@ -68411,12 +68412,22 @@ <h4 id=posting-messages><span class=secno>10.4.3 </span>Posting messages</h4>

<li>

<p>If the <var title="">targetOrigin</var> argument has a value
other than a single literal U+002A ASTERISK character (*), and
the <code>Document</code> of the <code><a href=#window>Window</a></code> object on
which the method was invoked does not have the <a href=#same-origin>same
origin</a> as <var title="">targetOrigin</var>, then abort
these steps silently.</p>
<p>If the <var title="">targetOrigin</var> argument is a single
literal U+002F SOLIDUS character (/), and the
<code>Document</code> of the <code><a href=#window>Window</a></code> object on which
the method was invoked does not have the <a href=#same-origin>same origin</a>
as the <a href=#entry-script>entry script</a>'s <a href="#script's-browsing-context" title="script's browsing
context">browsing context</a>, then abort these steps
silently.</p>

<p>Otherwise, if the <var title="">targetOrigin</var> argument is
an <a href=#absolute-url>absolute URL</a>, and the <code>Document</code> of the
<code><a href=#window>Window</a></code> object on which the method was invoked does
not have the <a href=#same-origin>same origin</a> as <var title="">targetOrigin</var>, then abort these steps silently.</p>

<p>Otherwise, the <var title="">targetOrigin</var> argument is a
single literal U+002A ASTERISK character (*), and no origin check
is made.</p>

</li>

@@ -68458,11 +68469,10 @@ <h4 id=posting-messages-with-message-ports><span class=secno>10.4.4 </span>Posti
<ol><!-- EXCEPT WHERE NOTED, THESE STEPS ARE IDENTICAL TO THE PREVIOUS SECTION --><!-- one exception is the use of -3 instead of -2 in the xrefs --><li>

<p>If the value of the <var title="">targetOrigin</var> argument
is not a single U+002A ASTERISK character (*), and <a href=#resolve-a-url title="resolve a url">resolving</a> it relative to the
<a href=#entry-script>entry script</a>'s <a href="#script's-base-url" title="script's base URL">base
URL</a> either fails or results in a <a href=#url>URL</a> with a
is neither a single U+002A ASTERISK character (*), a single U+002F
SOLIDUS character (/), nor an <a href=#absolute-url>absolute URL</a> with a
<code title=url-host-specific><a href=#url-host-specific>&lt;host-specific&gt;</a></code>
component that is neither empty nor a single U+002F SOLIDUS
component that is either empty or a single U+002F SOLIDUS
character (/), then throw a <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception and
abort the overall set of steps.</p>

@@ -68519,12 +68529,22 @@ <h4 id=posting-messages-with-message-ports><span class=secno>10.4.4 </span>Posti

<li>

<p>If the <var title="">targetOrigin</var> argument has a value
other than a single literal U+002A ASTERISK character (*), and
the <code>Document</code> of the <code><a href=#window>Window</a></code> object on
which the method was invoked does not have the <a href=#same-origin>same
origin</a> as <var title="">targetOrigin</var>, then abort
these steps silently.</p>
<p>If the <var title="">targetOrigin</var> argument is a single
literal U+002F SOLIDUS character (/), and the
<code>Document</code> of the <code><a href=#window>Window</a></code> object on which
the method was invoked does not have the <a href=#same-origin>same origin</a>
as the <a href=#entry-script>entry script</a>'s <a href="#script's-browsing-context" title="script's browsing
context">browsing context</a>, then abort these steps
silently.</p>

<p>Otherwise, if the <var title="">targetOrigin</var> argument is
an <a href=#absolute-url>absolute URL</a>, and the <code>Document</code> of the
<code><a href=#window>Window</a></code> object on which the method was invoked does
not have the <a href=#same-origin>same origin</a> as <var title="">targetOrigin</var>, then abort these steps silently.</p>

<p>Otherwise, the <var title="">targetOrigin</var> argument is a
single literal U+002A ASTERISK character (*), and no origin check
is made.</p>

</li>

62 index
@@ -63379,7 +63379,9 @@ function receiver(e) {
<p>If the origin of the target window doesn't match the given
origin, the message is discarded, to avoid information leakage. To
send the message to the target regardless of origin, set the
target origin to "<code title="">*</code>".</p>
target origin to "<code title="">*</code>". To restrict the
message to same-origin targets only, without needing to explicitly
state the origin, set the target origin to "<code title="">/</code>".</p>

<p>Throws an <code><a href=#invalid_state_err>INVALID_STATE_ERR</a></code> if the <var title="">ports</var> array is not null and it contains either null
entries or duplicate ports.</p>
@@ -63395,11 +63397,10 @@ function receiver(e) {
<ol><li>

<p>If the value of the <var title="">targetOrigin</var> argument
is not a single U+002A ASTERISK character (*), and <a href=#resolve-a-url title="resolve a url">resolving</a> it relative to the
<a href=#entry-script>entry script</a>'s <a href="#script's-base-url" title="script's base URL">base
URL</a> either fails or results in a <a href=#url>URL</a> with a
is neither a single U+002A ASTERISK character (*), a single U+002F
SOLIDUS character (/), nor an <a href=#absolute-url>absolute URL</a> with a
<code title=url-host-specific><a href=#url-host-specific>&lt;host-specific&gt;</a></code>
component that is neither empty nor a single U+002F SOLIDUS
component that is either empty or a single U+002F SOLIDUS
character (/), then throw a <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception and
abort the overall set of steps.</p>

@@ -63422,12 +63423,22 @@ function receiver(e) {

<li>

<p>If the <var title="">targetOrigin</var> argument has a value
other than a single literal U+002A ASTERISK character (*), and
the <code>Document</code> of the <code><a href=#window>Window</a></code> object on
which the method was invoked does not have the <a href=#same-origin>same
origin</a> as <var title="">targetOrigin</var>, then abort
these steps silently.</p>
<p>If the <var title="">targetOrigin</var> argument is a single
literal U+002F SOLIDUS character (/), and the
<code>Document</code> of the <code><a href=#window>Window</a></code> object on which
the method was invoked does not have the <a href=#same-origin>same origin</a>
as the <a href=#entry-script>entry script</a>'s <a href="#script's-browsing-context" title="script's browsing
context">browsing context</a>, then abort these steps
silently.</p>

<p>Otherwise, if the <var title="">targetOrigin</var> argument is
an <a href=#absolute-url>absolute URL</a>, and the <code>Document</code> of the
<code><a href=#window>Window</a></code> object on which the method was invoked does
not have the <a href=#same-origin>same origin</a> as <var title="">targetOrigin</var>, then abort these steps silently.</p>

<p>Otherwise, the <var title="">targetOrigin</var> argument is a
single literal U+002A ASTERISK character (*), and no origin check
is made.</p>

</li>

@@ -63469,11 +63480,10 @@ function receiver(e) {
<ol><!-- EXCEPT WHERE NOTED, THESE STEPS ARE IDENTICAL TO THE PREVIOUS SECTION --><!-- one exception is the use of -3 instead of -2 in the xrefs --><li>

<p>If the value of the <var title="">targetOrigin</var> argument
is not a single U+002A ASTERISK character (*), and <a href=#resolve-a-url title="resolve a url">resolving</a> it relative to the
<a href=#entry-script>entry script</a>'s <a href="#script's-base-url" title="script's base URL">base
URL</a> either fails or results in a <a href=#url>URL</a> with a
is neither a single U+002A ASTERISK character (*), a single U+002F
SOLIDUS character (/), nor an <a href=#absolute-url>absolute URL</a> with a
<code title=url-host-specific><a href=#url-host-specific>&lt;host-specific&gt;</a></code>
component that is neither empty nor a single U+002F SOLIDUS
component that is either empty or a single U+002F SOLIDUS
character (/), then throw a <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception and
abort the overall set of steps.</p>

@@ -63530,12 +63540,22 @@ function receiver(e) {

<li>

<p>If the <var title="">targetOrigin</var> argument has a value
other than a single literal U+002A ASTERISK character (*), and
the <code>Document</code> of the <code><a href=#window>Window</a></code> object on
which the method was invoked does not have the <a href=#same-origin>same
origin</a> as <var title="">targetOrigin</var>, then abort
these steps silently.</p>
<p>If the <var title="">targetOrigin</var> argument is a single
literal U+002F SOLIDUS character (/), and the
<code>Document</code> of the <code><a href=#window>Window</a></code> object on which
the method was invoked does not have the <a href=#same-origin>same origin</a>
as the <a href=#entry-script>entry script</a>'s <a href="#script's-browsing-context" title="script's browsing
context">browsing context</a>, then abort these steps
silently.</p>

<p>Otherwise, if the <var title="">targetOrigin</var> argument is
an <a href=#absolute-url>absolute URL</a>, and the <code>Document</code> of the
<code><a href=#window>Window</a></code> object on which the method was invoked does
not have the <a href=#same-origin>same origin</a> as <var title="">targetOrigin</var>, then abort these steps silently.</p>

<p>Otherwise, the <var title="">targetOrigin</var> argument is a
single literal U+002A ASTERISK character (*), and no origin check
is made.</p>

</li>

67 source
@@ -76885,7 +76885,10 @@ function receiver(e) {
<p>If the origin of the target window doesn't match the given
origin, the message is discarded, to avoid information leakage. To
send the message to the target regardless of origin, set the
target origin to "<code title="">*</code>".</p>
target origin to "<code title="">*</code>". To restrict the
message to same-origin targets only, without needing to explicitly
state the origin, set the target origin to "<code
title="">/</code>".</p>

<p>Throws an <code>INVALID_STATE_ERR</code> if the <var
title="">ports</var> array is not null and it contains either null
@@ -76909,12 +76912,10 @@ function receiver(e) {
<li>

<p>If the value of the <var title="">targetOrigin</var> argument
is not a single U+002A ASTERISK character (*), and <span
title="resolve a url">resolving</span> it relative to the
<span>entry script</span>'s <span title="script's base URL">base
URL</span> either fails or results in a <span>URL</span> with a
is neither a single U+002A ASTERISK character (*), a single U+002F
SOLIDUS character (/), nor an <span>absolute URL</span> with a
<code title="url-host-specific">&lt;host-specific&gt;</code>
component that is neither empty nor a single U+002F SOLIDUS
component that is either empty or a single U+002F SOLIDUS
character (/), then throw a <code>SYNTAX_ERR</code> exception and
abort the overall set of steps.</p>

@@ -76939,12 +76940,23 @@ function receiver(e) {

<li>

<p>If the <var title="">targetOrigin</var> argument has a value
other than a single literal U+002A ASTERISK character (*), and
the <code>Document</code> of the <code>Window</code> object on
which the method was invoked does not have the <span>same
origin</span> as <var title="">targetOrigin</var>, then abort
these steps silently.</p>
<p>If the <var title="">targetOrigin</var> argument is a single
literal U+002F SOLIDUS character (/), and the
<code>Document</code> of the <code>Window</code> object on which
the method was invoked does not have the <span>same origin</span>
as the <span>entry script</span>'s <span title="script's browsing
context">browsing context</span>, then abort these steps
silently.</p>

<p>Otherwise, if the <var title="">targetOrigin</var> argument is
an <span>absolute URL</span>, and the <code>Document</code> of the
<code>Window</code> object on which the method was invoked does
not have the <span>same origin</span> as <var
title="">targetOrigin</var>, then abort these steps silently.</p>

<p>Otherwise, the <var title="">targetOrigin</var> argument is a
single literal U+002A ASTERISK character (*), and no origin check
is made.</p>

</li>

@@ -77001,12 +77013,10 @@ function receiver(e) {
<li>

<p>If the value of the <var title="">targetOrigin</var> argument
is not a single U+002A ASTERISK character (*), and <span
title="resolve a url">resolving</span> it relative to the
<span>entry script</span>'s <span title="script's base URL">base
URL</span> either fails or results in a <span>URL</span> with a
is neither a single U+002A ASTERISK character (*), a single U+002F
SOLIDUS character (/), nor an <span>absolute URL</span> with a
<code title="url-host-specific">&lt;host-specific&gt;</code>
component that is neither empty nor a single U+002F SOLIDUS
component that is either empty or a single U+002F SOLIDUS
character (/), then throw a <code>SYNTAX_ERR</code> exception and
abort the overall set of steps.</p>

@@ -77068,12 +77078,23 @@ function receiver(e) {

<li>

<p>If the <var title="">targetOrigin</var> argument has a value
other than a single literal U+002A ASTERISK character (*), and
the <code>Document</code> of the <code>Window</code> object on
which the method was invoked does not have the <span>same
origin</span> as <var title="">targetOrigin</var>, then abort
these steps silently.</p>
<p>If the <var title="">targetOrigin</var> argument is a single
literal U+002F SOLIDUS character (/), and the
<code>Document</code> of the <code>Window</code> object on which
the method was invoked does not have the <span>same origin</span>
as the <span>entry script</span>'s <span title="script's browsing
context">browsing context</span>, then abort these steps
silently.</p>

<p>Otherwise, if the <var title="">targetOrigin</var> argument is
an <span>absolute URL</span>, and the <code>Document</code> of the
<code>Window</code> object on which the method was invoked does
not have the <span>same origin</span> as <var
title="">targetOrigin</var>, then abort these steps silently.</p>

<p>Otherwise, the <var title="">targetOrigin</var> argument is a
single literal U+002A ASTERISK character (*), and no origin check
is made.</p>

</li>

0 comments on commit 733c327

Please sign in to comment.