[cap-talk] "Cross-document messaging" in HTML
David Hopwood
david.hopwood at industrial-designers.co.uk
Sun Apr 29 12:50:09 EDT 2007
WHATWG is busy adding message passing features to HTML 5 that depend on
message origin authentication :-(
<http://www.whatwg.org/specs/web-apps/current-work/#crossDocumentMessages>
# Warning! Authors should check the 'domain' attribute to ensure that messages
# are only accepted from domains that they expect to receive messages from.
# Otherwise, bugs in the author's message handling code could be exploited by
# hostile sites.
[...]
# Implementors are urged to take extra care in the implementation of this feature.
# It allows authors to transmit information from one domain to another domain,
# which is normally disallowed for security reasons. It also requires that UAs
# be careful to allow access to certain properties but not others.
This is apparently implemented in Opera:
<http://virtuelvis.com/archives/2005/12/cross-document-messaging>
--
David Hopwood <david.hopwood at industrial-designers.co.uk> (note new address)
More information about the cap-talk
mailing list