[whatwg] The cross-document messaging APIs
ian at hixie.ch
Wed Aug 8 17:51:36 PDT 2007
I've moved the cross-document messaging API postMessage() to Window
instead of Document. I haven't otherwise changed it. I know it's not what
everyone wanted, but the various requests were somewhat incompatible so
someone had to not get what they wanted. :-) In particular, I haven't
change postMessage() to be on the source Window instead of the target
Window, since we had implementation feedback in both directions.
On Tue, 10 Jul 2007, Jeff Walden wrote:
> First, on a less substantial note: I agree with the spec note that this
> API should be on Window (and change source's type to Window as well).
> There can be multiple documents associated with a Window, but the
> principal is the same for the entire bundle -- it's tied to the window,
> not to the document.
> Also, in my skim of Mozilla's Window implementation, it seems to contain
> far more of the methods with security considerations, whereas the
> HTMLDocument implementation contains fewer; I think concentrating the
> security-conscious methods in fewer locations and greater quantities is
> a good idea.
> (It would be nice if the XSS concern mentioned in the note were
> explained, because I'm not sure to what it refers, and it might
> conceivably affect my opinion here.)
I'm not sure what you're referring to here.
> Second: as currently specified, postMessage (section 6.4, cross-domain
> messaging), requires that an implementation "punch" a hole through its
> security specifically for calls to postMessage on windows (assuming it
> were moved to Window), as well as possibly for enumerating a window's
> properties, doing |"postMessage" in win| checks, and ensuring that
> |win.postMessage| doesn't refer to a function that |win| might have
> defined in a custom modification (if the property weren't
> ReadOnly+DontDelete; the spec doesn't mention).
Yes, this is already quite common on Window for several other APIs.
> I was discussing this with a friend recently, and he made the following
> suggestion: why not instead change the API to |postMessage(message,
> otherWindow)|, such that sending a message to another window involves
> getting the other window and calling |postMessage| on *your* window?
> It's already possible to acquire and use objects associated with other
> browsing contexts, and you can even pass them to APIs (usually you'll
> get an error, but it's not a guard-dog -- it's an error raised by that
> specific method). This removes the need to punch the hole to make
> |postMessage| available to any script, and it means only postMessage
> itself (and not other pieces of the browser's security code) needs to be
> able to punch same-origin holes -- a significantly smaller change
> security-wise, and much easier to audit and reason about.
This is not a bad argument, but I think it is neater to call the method on
the target window (and easier to understand at a glance).
The security issue would be more of a problem if there wasn't such a
precedent for carefully crafted holes in the Window object.
On Tue, 10 Jul 2007, Aaron Boodman wrote:
> On 7/10/07, Jeff Walden <jwalden+whatwg at mit.edu> wrote:
>> why not instead change the API to |postMessage(message, otherWindow)|,
>> such that sending a message to another window involves getting the
>> other window and calling |postMessage| on *your* window?
> This is a great idea. We were thinking of implementing PostMessage in
> Gears and it would be much easier if that were the API.
I apologise for making your life harder, but I hope that leaving it as it
is in the spec will not prove to be a huge blocker for you.
On Sat, 14 Jul 2007, Jeff Walden wrote:
> Second, in the interests of explicitness, we should be clear about the
> exact values of event.domain and event.uri. Two concerns: how does
> setting document.domain interact with the computed value for
> event.domain, and what are the contents of event.domain in the presence
> of default and non-default ports? I think the answers to these two
> concerns must be as follows. Setting document.domain must have no
> effect on the value of event.domain, in the interests of web hosts who
> host content on subdomains of their main domain, e.g.
> myhomepage.webhost.com and webhost.com (else it would allow spoofing in
> pages which listened for cross-domain messages but didn't check the
> uri). The contents of event.domain must include the port number iff it
> is not the default port number for the protocol (80 for http, 443 for
> https) and must omit it otherwise.
The domain is intended to only contain the domain (no port); the port and
protocol can be obtained from the "uri" attribute if it is needed.
I've added a note to myself to fix this in due course.
> Third, with the modified API, the following is possible:
> // kidFrame is same-origin wrt window
> window.frames.kidFrame.postMessage(otherWindow, message);
> With the current design, this would basically allow a window to send an
> event which looks as though it has been created by another (same-origin,
> or joined-principals via document.domain) window, with a different
> event.uri. Since the two windows are same-session this probably isn't a
> real concern, but I think it's worth mentioning that the change makes it
> possible to send a message from a window different from the one
> currently executing the script.
This is actually a good argument against it, IMHO, though of course since
you can use dispatchEvent() you can always fake the event in this kind of
> Fourth, and probably most importantly, is the event dispatched by
> postMessage dispatched synchronously (event fired and processed before
> postMessage returns) or asynchronously? I interpret the current wording
> to mean synchronously, in accordance with the DOM 3 Events section on
> reentrance, but I'd like to be clear that's the intended interpretation.
Clarified in the spec.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg