Skip to content
Permalink
Browse files

[giow] (2) drop support for '/' origins in postMessage(), and require…

… that paths be ignored.

git-svn-id: http://svn.whatwg.org/webapps@5277 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
Hixie committed Aug 11, 2010
1 parent 0a41e0b commit cf05b234b1a6a7b02abb9171d8c5a67c35fe82c8
Showing with 15 additions and 45 deletions.
  1. +5 −15 complete.html
  2. +5 −15 index
  3. +5 −15 source

<header class=head id=head><p><a class=logo href=http://www.whatwg.org/ rel=home><img alt=WHATWG src=/images/logo></a></p>
<hgroup><h1>Web Applications 1.0</h1>
<h2 class="no-num no-toc">Draft Standard &mdash; 10 August 2010</h2>
<h2 class="no-num no-toc">Draft Standard &mdash; 11 August 2010</h2>
</hgroup><p>You can take part in this work. <a href=http://www.whatwg.org/mailing-list>Join the working group's discussion list.</a></p>
<p><strong>Web designers!</strong> We have a <a href=http://blog.whatwg.org/faq/>FAQ</a>, a <a href=http://forums.whatwg.org/>forum</a>, and a <a href=http://www.whatwg.org/mailing-list#help>help mailing list</a> for you!</p>
<!--<p class="impl"><strong>Implementors!</strong> We have a <a href="http://www.whatwg.org/mailing-list#implementors">mailing list</a> for you too!</p>-->
send the message to the target regardless of origin, set the
target origin to "<code title="">*</code>". To restrict the
message to same-origin targets only, without needing to explicitly
state the origin, set the target origin to "<code title="">/</code>".</p>
state the origin, pass the <code title=dom-location><a href=#dom-location>window.location</a></code> object.</p>

<p>Throws an <code><a href=#invalid_state_err>INVALID_STATE_ERR</a></code> if the <var title="">ports</var> array is not null and it contains either null
entries or duplicate ports.</p>
<ol><li>

<p>If the value of the <var title="">targetOrigin</var> argument
is neither a single U+002A ASTERISK character (*), a single U+002F
SOLIDUS character (/), nor an <a href=#absolute-url>absolute URL</a> with a
<code title=url-host-specific><a href=#url-host-specific>&lt;host-specific&gt;</a></code>
component that is either empty or a single U+002F SOLIDUS
character (/), then throw a <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception and
abort the overall set of steps.</p>
is neither a single U+002A ASTERISK character (*) nor an
<a href=#absolute-url>absolute URL</a>, then throw a <code><a href=#syntax_err>SYNTAX_ERR</a></code>
exception and abort the overall set of steps.</p>

</li>


<li>

<p>If the <var title="">targetOrigin</var> argument is a single
literal U+002F SOLIDUS character (/), and the
<code><a href=#document>Document</a></code> of the <code><a href=#window>Window</a></code> object on which
the method was invoked does not have the <a href=#same-origin>same origin</a>
as the <a href=#entry-script>entry script</a>'s <a href="#script's-document" title="script's
document">document</a>, then abort these steps silently.</p>

<p>Otherwise, if the <var title="">targetOrigin</var> argument is
an <a href=#absolute-url>absolute URL</a>, and the <code><a href=#document>Document</a></code> of the
<code><a href=#window>Window</a></code> object on which the method was invoked does
20 index

<header class=head id=head><p><a class=logo href=http://www.whatwg.org/ rel=home><img alt=WHATWG src=/images/logo></a></p>
<hgroup><h1>HTML5 (including next generation additions still in development)</h1>
<h2 class="no-num no-toc">Draft Standard &mdash; 10 August 2010</h2>
<h2 class="no-num no-toc">Draft Standard &mdash; 11 August 2010</h2>
</hgroup><p>You can take part in this work. <a href=http://www.whatwg.org/mailing-list>Join the working group's discussion list.</a></p>
<p><strong>Web designers!</strong> We have a <a href=http://blog.whatwg.org/faq/>FAQ</a>, a <a href=http://forums.whatwg.org/>forum</a>, and a <a href=http://www.whatwg.org/mailing-list#help>help mailing list</a> for you!</p>
<!--<p class="impl"><strong>Implementors!</strong> We have a <a href="http://www.whatwg.org/mailing-list#implementors">mailing list</a> for you too!</p>-->
send the message to the target regardless of origin, set the
target origin to "<code title="">*</code>". To restrict the
message to same-origin targets only, without needing to explicitly
state the origin, set the target origin to "<code title="">/</code>".</p>
state the origin, pass the <code title=dom-location><a href=#dom-location>window.location</a></code> object.</p>

<p>Throws an <code><a href=#invalid_state_err>INVALID_STATE_ERR</a></code> if the <var title="">ports</var> array is not null and it contains either null
entries or duplicate ports.</p>
<ol><li>

<p>If the value of the <var title="">targetOrigin</var> argument
is neither a single U+002A ASTERISK character (*), a single U+002F
SOLIDUS character (/), nor an <a href=#absolute-url>absolute URL</a> with a
<code title=url-host-specific><a href=#url-host-specific>&lt;host-specific&gt;</a></code>
component that is either empty or a single U+002F SOLIDUS
character (/), then throw a <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception and
abort the overall set of steps.</p>
is neither a single U+002A ASTERISK character (*) nor an
<a href=#absolute-url>absolute URL</a>, then throw a <code><a href=#syntax_err>SYNTAX_ERR</a></code>
exception and abort the overall set of steps.</p>

</li>


<li>

<p>If the <var title="">targetOrigin</var> argument is a single
literal U+002F SOLIDUS character (/), and the
<code><a href=#document>Document</a></code> of the <code><a href=#window>Window</a></code> object on which
the method was invoked does not have the <a href=#same-origin>same origin</a>
as the <a href=#entry-script>entry script</a>'s <a href="#script's-document" title="script's
document">document</a>, then abort these steps silently.</p>

<p>Otherwise, if the <var title="">targetOrigin</var> argument is
an <a href=#absolute-url>absolute URL</a>, and the <code><a href=#document>Document</a></code> of the
<code><a href=#window>Window</a></code> object on which the method was invoked does
20 source
send the message to the target regardless of origin, set the
target origin to "<code title="">*</code>". To restrict the
message to same-origin targets only, without needing to explicitly
state the origin, set the target origin to "<code
title="">/</code>".</p>
state the origin, pass the <code
title="dom-location">window.location</code> object.</p>

<p>Throws an <code>INVALID_STATE_ERR</code> if the <var
title="">ports</var> array is not null and it contains either null
<li>

<p>If the value of the <var title="">targetOrigin</var> argument
is neither a single U+002A ASTERISK character (*), a single U+002F
SOLIDUS character (/), nor an <span>absolute URL</span> with a
<code title="url-host-specific">&lt;host-specific&gt;</code>
component that is either empty or a single U+002F SOLIDUS
character (/), then throw a <code>SYNTAX_ERR</code> exception and
abort the overall set of steps.</p>
is neither a single U+002A ASTERISK character (*) nor an
<span>absolute URL</span>, then throw a <code>SYNTAX_ERR</code>
exception and abort the overall set of steps.</p>

</li>


<li>

<p>If the <var title="">targetOrigin</var> argument is a single
literal U+002F SOLIDUS character (/), and the
<code>Document</code> of the <code>Window</code> object on which
the method was invoked does not have the <span>same origin</span>
as the <span>entry script</span>'s <span title="script's
document">document</span>, then abort these steps silently.</p>

<p>Otherwise, if the <var title="">targetOrigin</var> argument is
an <span>absolute URL</span>, and the <code>Document</code> of the
<code>Window</code> object on which the method was invoked does

0 comments on commit cf05b23

Please sign in to comment.
You can’t perform that action at this time.