window.postMessage needs targetOrigin=* for dataurl

[Worldwidebrine]

MDN URL

https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage

What specific section or headline is this issue about?

Security concerns

What information was incorrect, unhelpful, or incomplete?

Always specify an exact target origin, not *, when you use postMessage to dispatch data to other windows.

What did you expect to see?

Add data:, I guess?

I tried with iframe.src=dataurl, and I realized I need "*".

Do you have any supporting links, references, or citations?

No response

Do you have anything more you want to share?

No response

MDN metadata

Page report details

• Folder: en-us/web/api/window/postmessage
• MDN URL: https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
• GitHub URL: https://github.com/mdn/content/blob/main/files/en-us/web/api/window/postmessage/index.md
• Last commit: 1a48b6a
• Document last modified: 2024-08-27T04:49:15.000Z

[Josh-Cena]

Could you show a minimal example of what you mean? You mean when your target's URL is a data: URL you have to use "*"?

[Worldwidebrine]

With a second thought, I think this should be add to

Note: Data URLs are treated as unique opaque origins by modern browsers, rather than inheriting the origin of the settings object responsible for the navigation.
https://developer.mozilla.org/en-US/docs/Web/URI/Schemes/data

rather than window.postMessage page. Sorry for that.

new URL(dataurl).origin returns string "null".
But postMessage doesn't allow string "null" as origin.
Real null or undefined value will be considered as empty origin argument, then postMessage will use current origin, and dataurl will never receive any.

[Josh-Cena]

I see, I would not be opposed to a single line addition that says "note that data URLs have opaque origins, so to send data to a context with a data URL, you cannot specify the target origin."