[webkit-dev]
Fwd: [whatwg] postMessage support now in Firefox trunk,
implementation issues, feedback, tests
Maciej Stachowiak
mjs at apple.com
Wed Jan 30 00:27:54 PST 2008
Jeff Walden mentioned on IRC that some of the tests mentioned below
fail in WebKit TOT and seem to show cross-domain postMessage not
working (I suspect it's failing security checks for some unrelated
reason). Can someone (ideally someone who understands postMessage)
please try these? I'm afraid the steps are a little complicated.
I'm also curious if the PAC file approach would be a viable way to do
cross-domain security testing more generally (it is able to test
different subdomains and ports unlike our current approach).
Begin forwarded message:
> From: Jeff Walden <jwalden+whatwg at MIT.EDU>
> Date: January 29, 2008 10:36:51 PM PST
> To: whatwg at whatwg.org
> Subject: [whatwg] postMessage support now in Firefox trunk,
> implementation issues, feedback, tests
> Reply-To: jwalden+whatwg at MIT.EDU
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=postMessage
>
> I just landed HTML5 postMessage support in Firefox, so it should be
> in Firefox 3! Thanks to WebKit people for pushing on this, because
> I didn't think this had a chance of making 3, to be utterly honest,
> having tried once before several months ago. To be honest, I'm
> still in a state of shock this got taken. :-)
>
>
> First:
>
> I strongly encourage all implementers of postMessage to compare how
> they do against the set of tests (for both postMessage and
> MessageEvent functionality) that I wrote during implementation of
> postMessage. I made special efforts not to do any Mozilla-specific
> testing without a user-agent guard, and I don't believe there are
> any unguarded Mozilla-specific tests any more -- and to an extent
> nothing not specified by HTML5 or otherwise commonly implemented,
> more or less. There's significant bustage against the tests in the
> user agents I tested even on basic functionality, to the extent that
> the API's not usable for what it was intended due to incorrect
> errors being thrown on access and such. (I've guarded against these
> problems in the tests with try/catches and "sentinel" timeout checks
> when there's no other way to communicate a failure). The tests are
> available here:
>
> http://web.mit.edu/jwalden/www/whatwg/postMessage.zip
>
> To run the tests, extract them somewhere on your hard drive and
> start an HTTP server on port 8888 serving the postMessage/ folder as
> its root folder. Make sure that your server will serve .xhtml files
> with the XHTML MIME-type -- a couple tests use it because I was too
> lazy to use external files for scripts and wanted to include special
> characters literally (or wanted to test specific Unicode-related
> handling). Next, set up proxy autoconfig in your UA to point to <http://localhost:8888/proxy.js
> >. Now navigate to:
>
> http://localhost:8888/tests/dom/tests/mochitest/whatwg/
>
>> From there click the "Run tests" link to see how you do. For
>> individual test results, see the individual test links. Be very
>> careful when you run these -- the uri-checking hard-codes URIs
>> instead of using something like location.href in the interest of
>> robustness against colluding failures, so running with, say, a
>> stray hash or question mark at the end of a page URL will usually
>> cause that test to fail.
>
> I spent a lot of time on these tests, and I'm not aware of any bugs
> in them, but I'd very much appreciate people reading through them,
> running them, and checking for any errors I might have made, say, in
> not marking a test as Moz-specific or such (subject to the points
> noted below).
>
>
> Second:
>
> The spec's incomplete or vague on a few points right now. The
> points I know where I forged new ground or think clarifications/
> explicit notes may be in order are:
>
> * event.domain/uri values in a rewritten about:blank document
> The spec seems to somewhat indicate that we should be using
> about:blank and "" as uri/domain right now, but that's fairly
> useless in terms of allowing postMessage in dynamically-created
> pages. This probably wants to change to reflect the document's
> origin/principal, and assuming things go the way most browsers have
> implemented it, this means those values are the same as for the
> opener of about:blank. This is tested in
> test_postMessage_special.xhtml. Note that there are two different
> tests of this behavior which change the document in slightly
> different ways, and Mozilla expects them to have the same results
> right now.
>
> * event.domain/uri values in data: URLs
> Mozilla currently gives data: URLs the principal of the opener/
> parent, so we use that URI for computing uri/domain of messages from
> data: URLs. The two tests for this are UA-guarded for now as
> behaviors differ across browsers on this, but in the long run
> everyone should come to an agreement on this.
>
> * event.domain with non-standard ports
> We have it so domain doesn't include the port number, ever. The
> spec says this, but it's not absolutely explicit.
>
> * event.domain/uri values for IDN URLs
> We use the Unicode-ized values of these, not the Punycode versions.
> (Actually, that's a lie -- what we use depends on whether the
> relevant TLD is whitelisted for non-punycode display or not, which
> is clearly the wrong behavior; at the moment I doubt this will be
> fixed for Firefox 3, sadly.) I think this is what authors would
> most likely expect, if not now then when IDN is truly widespread
> (when we'd be stuck with punycode if we were to choose it now), but
> the spec doesn't say anything about IDN yet.
>
> * event.domain/uri when calling through another same-origin page
> Page A and B are same-origin; A calls a method in B, which calls
> postMessage. The dispatched event has uri/domain of B, not of A.
> The spec's reasonably clear on this, but best to note it explicitly
> here.
>
> * event.domain for non-hierarchical URLs
> I don't test this because I'm aware of no common protocol that would
> be cross-browser, but .domain would be the empty string, not null,
> in this case. If we ever changed the behavior of data: URLs, I
> suspect we'd hit the logic to return an empty string.
>
> * event.domain when document.domain has been changed
> The value of event.domain is the original domain for the page, not
> the value to which document.domain may have been set.
>
> * handling a postMessage-dispatched MessageEvent by throwing
> Any exceptions thrown by exception handlers when postMessage is
> called on a window are ignored; they are not propagated up to an
> exception handlers. In particular, this happens regardless of the
> origin of the window whose script threw an exception, even if it is
> identical to that of the window that called postMessage. It doesn't
> seem like a good design to me to have to check for a pending
> exception and only allow it if the target had the same origin; best
> to avoid the problem entirely and just unconditionally prevent any
> exceptions from propagating rather than introduce the possibility of
> error in determining when an exception may be safely propagated.
> (Also consider that if you were to propagate in the cross-origin
> case you'd have to make sure the thrower hadn't set any properties
> on the exception, or at least that said properties would not be
> accessible to the postMessage caller.)
>
>
> (One last note that's relevant yet not relevant: if you're wondering
> what Mozilla does for "chrome" content that runs with elevated
> privileges, we forcibly make the source of the dispatched events
> null. In this way chrome can postMessage chrome or content, but no
> method is provided for response or even for referring to the
> sender. To respond, the target window must be able to get a
> reference to the sending window some other way.)
>
>
>
> That covers everything I ran into while implementing this; comments,
> suggestions for other tests, complaints about test bugs, suggestions
> for error message clarifications, yadda yadda are all greatly
> appreciated!
>
> Jeff Walden
>
> P.S. -- Mailman, you suck for not using using the various vendor-
> specific and standard forms of pre-wrap on the ASCII emails you
> display, and I refuse to acquiesce to your demands for line breaks
> in what I type.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.webkit.org/pipermail/webkit-dev/attachments/20080130/8e988023/attachment-0001.html
More information about the webkit-dev
mailing list