Use only the incumbent global in postMessage

Previously one of the origin checks was performed with the entry settings object, while the origin and source attributes of the resulting MessageEvent were derived from the incumbent settings object. At least WebKit and Blink appear to use the same global for both, and it makes sense to align the checks on the same global. The difference is only observable in test cases that fiddle with document.domain, as entry and incumbent are always same origin-domain (but, in document.domain cases, not always same origin). Fixes whatwg#1542. Helps whatwg#1431 but hurts whatwg#1430.
alice · Jan 7, 2019 · 8b9d1cc · 8b9d1cc
1 parent 9edb4c7
commit 8b9d1cc
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/source b/source
@@ -94277,9 +94277,11 @@ function receiver(e) {
    <li><p>Let <var>targetRealm</var> be this <code>Window</code> object's <span
    data-x="concept-global-object-realm">Realm</span>.</p></li>
 
-   <li><p>Let <var>entrySettings</var> be the <span>entry settings object</span>.</p></li>
-
    <li><p>Let <var>incumbentSettings</var> be the <span>incumbent settings object</span>.</p></li>
+   <!-- This is one of the few cases where incumbent is probably the right choice. Current or
+   relevant would mean that the MessageEvent's source property always points to the "calling"
+   window, in same-origin cases. See discussion at
+   https://github.com/whatwg/html/issues/1542#issuecomment-233502636 -->
 
    <li><p>Let <var>cloneRecord</var> be <span>StructuredCloneWithTransfer</span>(<var>message</var>,
    <var>transfer</var>, <var>targetRealm</var>). Rethrow any exceptions.</p></li>
@@ -94298,7 +94300,7 @@ function receiver(e) {
     <p>If the <var>targetOrigin</var> argument is a single literal U+002F SOLIDUS
     character (/), and the <code>Document</code> of the <code>Window</code> object on which the
     method was invoked does not have the <span>same origin</span> as the <span>responsible
-    document</span> specified by <var>entrySettings</var>, then abort these steps silently.</p>
+    document</span> specified by <var>incumbentSettings</var>, then abort these steps silently.</p>
 
     <p>Otherwise, if the <var>targetOrigin</var> argument is an <span>absolute URL</span>,
     and the <code>Document</code> of the <code>Window</code> object on which the method was invoked