[html5] r1214 - /

whatwg at whatwg.org whatwg at whatwg.org
Tue Feb 12 13:01:08 PST 2008


Author: ianh
Date: 2008-02-12 13:01:07 -0800 (Tue, 12 Feb 2008)
New Revision: 1214

Modified:
   index
   source
Log:
[gow] (2) Security fix for postMessage(): What is needed is not the domain+uri, but the origin, of the message source

Modified: index
===================================================================
--- index	2008-02-12 01:06:23 UTC (rev 1213)
+++ index	2008-02-12 21:01:07 UTC (rev 1214)
@@ -35085,8 +35085,7 @@
 
   <pre class=idl>interface <dfn id=messageevent>MessageEvent</dfn> : Event {
   readonly attribute DOMString <a href="#data4" title=dom-MessageEvent-data>data</a>;
-  readonly attribute DOMString <a href="#domain1" title=dom-MessageEvent-domain>domain</a>;
-  readonly attribute DOMString <a href="#uri0" title=dom-MessageEvent-uri>uri</a>;
+  readonly attribute DOMString <span title=dom-MessageEvent-origin>origin</span>;
   readonly attribute <a href="#window">Window</a> <a href="#source2" title=dom-MessageEvent-source>source</a>;
   void <a href="#initmessageevent" title=dom-MessageEvent-initMessageEvent>initMessageEvent</a>(in DOMString typeArg, in boolean canBubbleArg, in boolean cancelableArg, in DOMString dataArg, in DOMString domainArg, in DOMString uriArg, in Window sourceArg);
   void <a href="#initmessageeventns" title=dom-MessageEvent-initMessageEventNS>initMessageEventNS</a>(in DOMString namespaceURI, in DOMString typeArg, in boolean canBubbleArg, in boolean cancelableArg, in DOMString dataArg, in DOMString domainArg, in DOMString uriArg, in Window sourceArg);
@@ -35103,15 +35102,13 @@
   <p>The <dfn id=data4 title=dom-MessageEvent-data><code>data</code></dfn>
    attribute represents the message being sent.
 
-  <p>The <dfn id=domain1
-   title=dom-MessageEvent-domain><code>domain</code></dfn> attribute
+  <p>The <dfn id=origin1
+   title=dom-MessageEvent-domain><code>origin</code></dfn> attribute
    represents, in <a href="#cross-document">cross-document messaging</a>, the
-   domain of the document from which the message came.
+   <a href="#origin0">origin</a> of the document that sent the message
+   (typically the scheme, hostname, and port of the document, but not its
+   path or fragment identifier).
 
-  <p>The <dfn id=uri0 title=dom-MessageEvent-uri><code>uri</code></dfn>
-   attribute represents, in <a href="#cross-document">cross-document
-   messaging</a>, the address of the document from which the message came.
-
   <p>The <dfn id=source2
    title=dom-MessageEvent-source><code>source</code></dfn> attribute
    represents, in <a href="#cross-document">cross-document messaging</a>, the
@@ -36555,18 +36552,16 @@
    the <var title="">message</var> argument to the <code
    title=dom-window-postMessage><a
    href="#postmessage">postMessage()</a></code> method, the <code
-   title=dom-MessageEvent-domain><a href="#domain1">domain</a></code>
-   attribute must be set to the <a href="#domain0" title="the document's
-   domain">domain of the document</a> that the script that invoked the
-   methods is associated with, the <code title=dom-MessageEvent-uri><a
-   href="#uri0">uri</a></code> attribute must be set to the URI of that
-   document, and the <code title=dom-MessageEvent-source><a
-   href="#source2">source</a></code> attribute must be set to the <code><a
-   href="#window">Window</a></code> object of the default view of the
-   browsing context with which that document is associated.
+   title=dom-MessageEvent-origin>origin</code> attribute must be set to the
+   <a href="#origin0">origin</a> of the document that the script that invoked
+   the methods is associated with, and the <code
+   title=dom-MessageEvent-source><a href="#source2">source</a></code>
+   attribute must be set to the <code><a href="#window">Window</a></code>
+   object of the default view of the browsing context with which that
+   document is associated.
 
-  <p class=issue>Define 'domain' more exactly -- IDN vs no IDN, absence of
-   ports, effect of window.document.domain on its value, etc
+  <p class=issue>Define 'origin' more exactly -- IDN vs no IDN, effect of
+   window.document.domain on its value, etc
 
   <p>The event must then be dispatched at the <code>Document</code> object
    that is the <a href="#active">active document</a> of the <code><a
@@ -36579,10 +36574,10 @@
    and event listeners have been executed as appropriate).
 
   <p class=warning>Authors should check the <code
-   title=dom-MessageEvent-domain><a href="#domain1">domain</a></code>
-   attribute to ensure that messages are only accepted from domains that they
-   expect to receive messages from. Otherwise, bugs in the author's message
-   handling code could be exploited by hostile sites.
+   title=dom-MessageEvent-origin>origin</code> attribute to ensure that
+   messages are only accepted from domains that they expect to receive
+   messages from. Otherwise, bugs in the author's message handling code could
+   be exploited by hostile sites.
 
   <div class=example>
    <p>For example, if document A contains an <code><a
@@ -36593,8 +36588,7 @@
     document A. The script in document A might look like:</p>
 
    <pre>var o = document.getElementsByTagName('object')[0];
-o.<span title=dom-object-contentWindow>contentWindow</span>.<a href="#postmessage" title=dom-window-postMessage>postMessage</a>('Hello world');
-</pre>
+o.contentWindow.postMessage('Hello world');</pre>
 
    <p>To register an event handler for incoming events, the script would use
     <code title="">addEventListener()</code> (or similar mechanisms). For
@@ -36602,7 +36596,7 @@
 
    <pre>document.addEventListener('message', receiver, false);
 function receiver(e) {
-  if (e.domain == 'example.com') {
+  if (e.origin == 'http://example.com/') {
     if (e.data == 'Hello world') {
       e.source.postMessage('Hello');
     } else {

Modified: source
===================================================================
--- source	2008-02-12 01:06:23 UTC (rev 1213)
+++ source	2008-02-12 21:01:07 UTC (rev 1214)
@@ -32407,8 +32407,7 @@
 
   <pre class="idl">interface <dfn>MessageEvent</dfn> : Event {
   readonly attribute DOMString <span title="dom-MessageEvent-data">data</span>;
-  readonly attribute DOMString <span title="dom-MessageEvent-domain">domain</span>;
-  readonly attribute DOMString <span title="dom-MessageEvent-uri">uri</span>;
+  readonly attribute DOMString <span title="dom-MessageEvent-origin">origin</span>;
   readonly attribute <span>Window</span> <span title="dom-MessageEvent-source">source</span>;
   void <span title="dom-MessageEvent-initMessageEvent">initMessageEvent</span>(in DOMString typeArg, in boolean canBubbleArg, in boolean cancelableArg, in DOMString dataArg, in DOMString domainArg, in DOMString uriArg, in Window sourceArg);
   void <span title="dom-MessageEvent-initMessageEventNS">initMessageEventNS</span>(in DOMString namespaceURI, in DOMString typeArg, in boolean canBubbleArg, in boolean cancelableArg, in DOMString dataArg, in DOMString domainArg, in DOMString uriArg, in Window sourceArg);
@@ -32427,14 +32426,12 @@
   attribute represents the message being sent.</p>
 
   <p>The <dfn
-  title="dom-MessageEvent-domain"><code>domain</code></dfn> attribute
-  represents, in <span>cross-document messaging</span>, the domain of
-  the document from which the message came.</p>
+  title="dom-MessageEvent-domain"><code>origin</code></dfn> attribute
+  represents, in <span>cross-document messaging</span>, the
+  <span>origin</span> of the document that sent the message (typically
+  the scheme, hostname, and port of the document, but not its path or
+  fragment identifier).</p>
 
-  <p>The <dfn title="dom-MessageEvent-uri"><code>uri</code></dfn>
-  attribute represents, in <span>cross-document messaging</span>, the
-  address of the document from which the message came.</p>
-
   <p>The <dfn
   title="dom-MessageEvent-source"><code>source</code></dfn> attribute
   represents, in <span>cross-document messaging</span>, the
@@ -33910,18 +33907,15 @@
   title="dom-MessageEvent-data">data</code> attribute must be set to
   the value passed as the <var title="">message</var> argument to the
   <code title="dom-window-postMessage">postMessage()</code> method,
-  the <code title="dom-MessageEvent-domain">domain</code> attribute
-  must be set to the <span title="the document's domain">domain of the
-  document</span> that the script that invoked the methods is
-  associated with, the <code title="dom-MessageEvent-uri">uri</code>
-  attribute must be set to the URI of that document, and the <code
+  the <code title="dom-MessageEvent-origin">origin</code> attribute
+  must be set to the <span>origin</span> of the document that the
+  script that invoked the methods is associated with, and the <code
   title="dom-MessageEvent-source">source</code> attribute must be set
   to the <code>Window</code> object of the default view of the
   browsing context with which that document is associated.</p>
 
-  <p class="issue">Define 'domain' more exactly -- IDN vs no IDN,
-  absence of ports, effect of window.document.domain on its value,
-  etc</p>
+  <p class="issue">Define 'origin' more exactly -- IDN vs no IDN,
+  effect of window.document.domain on its value, etc</p>
 
   <p>The event must then be dispatched at the <code>Document</code>
   object that is the <span>active document</span> of the
@@ -33934,7 +33928,7 @@
   been executed as appropriate).</p>
 
   <p class="warning">Authors should check the <code
-  title="dom-MessageEvent-domain">domain</code> attribute to ensure
+  title="dom-MessageEvent-origin">origin</code> attribute to ensure
   that messages are only accepted from domains that they expect to
   receive messages from. Otherwise, bugs in the author's message
   handling code could be exploited by hostile sites.</p>
@@ -33949,8 +33943,7 @@
    might look like:</p>
 
    <pre>var o = document.getElementsByTagName('object')[0];
-o.<span title="dom-object-contentWindow">contentWindow</span>.<span title="dom-window-postMessage">postMessage</span>('Hello world');
-</pre>
+o.contentWindow.postMessage('Hello world');</pre>
 
    <p>To register an event handler for incoming events, the script
    would use <code title="">addEventListener()</code> (or similar mechanisms).
@@ -33958,7 +33951,7 @@
 
    <pre>document.addEventListener('message', receiver, false);
 function receiver(e) {
-  if (e.domain == 'example.com') {
+  if (e.origin == 'http://example.com/') {
     if (e.data == 'Hello world') {
       e.source.postMessage('Hello');
     } else {




More information about the Commit-Watchers mailing list