[whatwg] postMessage: event.source allows navigation of sender

Hallvord R M Steen hallvors at gmail.com
Thu Feb 7 04:32:55 PST 2008


> > > Opera assumes that if a script
> > > has a JavaScript pointer to a frame then that script is permitted to
> > > navigate that frame.
> >
> > This is actually per the spec and required for web compatibility
> Here is a test case:
>
> http://crypto.stanford.edu/~abarth/research/html5/sibling/

Ah sorry, I see what you mean. Haven't let all the implications of
your ancestor policy research sink in yet. You are perfectly right
that Opera's security policy here relies on disallowing getting the
window object rather than setting location.

Implementing the ancestore policy takes care of most of the scenarios
I can think of where you may want to post messages to a window that
should not be allowed to change your location. One case I'm still
somewhat concerned about is that one is allowed to set the location of
any top-level window according to the ancestor policy, so calling
postMessage on untrusted windows from your top window is still
somewhat dangerous. That's something we have to allow for web
compatibility and for this reason I still think removing event.source
from the message event interface would be a good idea.

For example, consider

w=window.open();
w.opener = null;
w.location = 'http://untrusted.example.org'
w.postMessage( '...' );

Untrusted content now gets a window reference it would not otherwise
have, and will be allowed to set location if this scripts runs in the
top context of the opener.


-- 
Hallvord R. M. Steen



More information about the whatwg mailing list