postMessage()'s targetOrigin and security
Tuesday, July 20, 2010 7:44:49 PM
the web browser should make sure no other site than www.example.com can receive the message.
The problem is that all other browsers allow something like
while Opera follows the current text of the HTML5 spec and throws an exception if there is a path, query string or fragment in the second argument. Some features Facebook embeds in other websites fail in Opera due to Facebook composing the "origin" string they pass to postMessage() this way:
FB.XD._origin=(window.location.protocol+'//'+window.location.host+'/'+FB.guid());(source) and the string returned by FB.guid() causes an exception in Opera when Facebook tries posting messages.
Had I written this blog post last week, I would have pointed fingers at Gecko and WebKit for not being able to implement even new specs correctly. However, luckily I first posted about the issue on the WHATWG list, and the subsequent discussion clarified that this exception was added to the spec after the implementations were written (at least in Mozilla's case). So who is to blame?
- The HTML5 editor and working group for keep changing features that are already implemented, shipped, and in use on the web?
- Facebook for coding according to implementations rather than to the spec?
- Mozilla and WebKit for not tracking the spec's changes and updating their implementations as soon as possible (it's been two years since this requirement was added to the spec, after all)?
I don't know, and looking for someone to blame is a waste of time anyway. We'll change Opera to match the others, and I've used the WHATWG spec's review feature to report a spec bug. While he's at it, the editor should also remove the '/' shortcut for "current origin" I guess.