Sunava Dutta wrote:
· The language in http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html overpromises the security of this feature and we recommend a revision. The current language implies that cross site scripting attacks are not possible. This is not correct since a developer can receive script from a postmessage and run it in the DOM.
I don't really think it's an overpromise, but there's nothing wrong with paranoia (I've already clearly indicted myself with <http://developer.mozilla.org/en/docs/DOM:window.postMessage> :-) ). I wouldn't add it myself, but if people are more comfortable with it than with the current wording, no complaints here.
· We’re glad to see the e.URI gone. It exposed too much potentially dangerous information.
No complaints there, once I read the rationale behind the change.
· For the postMessage (message, origin) method we would recommend the parameter be called postMessage(message, targetOrigin) since it’s easier to understand what it is.
No complaints here either.
Here’s our rewrite!
Thanks for the feedback! Jeff
