svn commit: r694495 - /incubator/shindig/trunk/features/rpc/rpc.js

[zhen]

Author: zhen
Date: Thu Sep 11 14:34:35 2008
New Revision: 694495

URL: http://svn.apache.org/viewvc?rev=694495&view=rev
Log:
Changing the targetOrigin parameter of window.postMessage calls from "*" to 
target window's domain.
This security patch prevents cross-domain message sniffing attacks.

Tested in FF3, Safari nightly, and Opera9 which have implemented the 
HTML5-compliant postMessage API.


Modified:
    incubator/shindig/trunk/features/rpc/rpc.js

Modified: incubator/shindig/trunk/features/rpc/rpc.js
URL: 
http://svn.apache.org/viewvc/incubator/shindig/trunk/features/rpc/rpc.js?rev=694495&r1=694494&r2=694495&view=diff
==============================================================================
--- incubator/shindig/trunk/features/rpc/rpc.js (original)
+++ incubator/shindig/trunk/features/rpc/rpc.js Thu Sep 11 14:34:35 2008
@@ -594,7 +594,7 @@
 
         case 'wpm': // use window.postMessage.
           var targetWin = targetId === '..' ? parent : frames[targetId];
-          targetWin.postMessage(rpcData, "*");
+          targetWin.postMessage(rpcData, relayUrl[targetId]);
           break;
 
         case 'fe': // use FrameElement.