[whatwg] IE Team Feedback on HTML 5.0 Cross Document Messaging

Sunava Dutta sunavad at windows.microsoft.com
Thu Feb 21 19:18:40 PST 2008

This is a compelling feature and will greatly ease developer pains around cross frame communication hacks. -:)

*        The language in http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html overpromises the security of this feature and we recommend a revision. The current language implies that cross site scripting attacks are not possible. This is not correct since a developer can receive script from a postmessage and run it in the DOM.

o   This section introduces a messaging system that allows documents to communicate with each other regardless of their source domain, in a way designed to not enable cross-site scripting attacks  enable prevention of script injection attacks.

*        We're glad to see the e.URI gone. It exposed too much potentially dangerous information.

*       For the postMessage (message, origin) method we would recommend the parameter be called postMessage(message, targetOrigin) since it's easier to understand what it is.

Here's our rewrite!

6.4.1 Processing model
When a script invokes the postMessage(message, targetOrigin) method on a Window<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-the-default0.html#window> object, the user agent must follow these steps:

 1.  Let target be the Document object that is the active document<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-windows.html#active> of the Window<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-the-default0.html#window> object on which the method was invoked.
 2.  If the targetOrigin argument is present and not null, run these substeps:
    *   If the value of the targetOrigin argument is not a valid URI or IRI, then throw a SYNTAX_ERR exception and abort the overall set of steps. [RFC3986]<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#refsRFC3490> [RFC3987]<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#refsRFC3490>
    *   If the origin<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-scripting.html#origin0> of the target document is not a scheme/host/port tuple, then abort the overall set of steps silently.
    *   Otherwise, let targetOrigin be the URI or IRI parsed from the targetOrigin argument. [RFC3986]<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#refsRFC3490> [RFC3987]<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#refsRFC3490>
    *   If targetOrigin uses a URI scheme that does not have a server-based naming authority, then abort the overall set of steps silently. [RFC3986]<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#refsRFC3490>
    *   Let desired scheme be the <scheme> component of targetOrigin.
    *   Let desired host be the <host> or <ihost> part of targetOrigin, with the ToAscii algorithm applied. [RFC3490]<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#refsRFC3490>
    *   Let desired port be the <port> component of targetOrigin, or, if there isn't one, the default port for desired scheme.
    *   If desired scheme is not the same as the scheme component of the origin<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-scripting.html#origin0> of the target document, then abort the overall set of steps silently.
    *   If desired host is not the same as the host component of the origin<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-scripting.html#origin0> of the target document, after having the ToAscii algorithm applied, then abort the overall set of steps silently. [RFC3490]<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#refsRFC3490>
    *   If desired port is not the same as the port component of the origin<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-scripting.html#origin0> of the target document, then abort the overall set of steps silently.
 3.  Create an event that uses the MessageEvent<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-event1.html#messageevent> interface, with the event name message<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-event1.html#message0>, which bubbles, is cancelable, and has no default action. The data<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-event1.html#data4> attribute must be set to the value passed as the message argument to the postMessage()<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#postmessage> method, the origin attribute must be set to the origin<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-scripting.html#origin0> of the document that the script that invoked the methods is associated with, and the source<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-event1.html#source2> attribute must be set to the Window<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-the-default0.html#window> object of the default view of the browsing context with which that document is associated.
 4.  Dispatch the event created in the previous step at the target document.
The postMessage()<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#postmessage> method must only return once the event dispatch has been completely processed by the target document (i.e. all three of the capture, target, and bubble phases have been done, and event listeners have been executed as appropriate).
Authors should check the origin attribute to ensure that messages are only accepted from domains that they expect to receive messages from. Otherwise, bugs in the author's message handling code could be exploited by hostile sites.
Authors should include the targetOrigin argument in messages that contain any confidential information, to make sure that the message is only delivered to the recipient to which it was intended.
For example, if document A contains an object<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-embedded0.html#object> element that contains document B, and script in document A calls postMessage()<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-crossDocumentMessages.html#postmessage> on document B, then a message event will be fired on that element, marked as originating from document A. The script in document A might look like:
var o = document.getElementsByTagName('object')[0];
o.contentWindow.postMessage('Hello world', 'http://b.example.com');
To register an event handler for incoming events, the script would use addEventListener() (or similar mechanisms). For example, the script in document B might look like:
document.addEventListener('message', receiver, false);
function receiver(e) {
  if (e.origin == 'http://a.example.com') {
    if (e.data == 'Hello world') {
      e.source.postMessage('Hello', e.origin);
    } else {
This script first checks that the domain is the expected domain, and then looks at the message, which it either displays to the user, or responds to by sending a message back to the document which sent the message in the first place.
The integrity of this API is based on the inability for scripts of one origin to post arbitrary events (using dispatchEvent() or otherwise) to objects in other origins.
Implementors are urged to take extra care in the implementation of this feature. It allows authors to transmit information from one domain to another domain, which is normally disallowed for security reasons. It also requires that UAs be careful to allow access to certain properties but not others.

Sunava Dutta
Program Manager (AJAX) - Developer Experience Team, Internet Explorer
One Microsoft Way, Redmond WA 98052
TEL# (425) 705-1418
FAX# (425) 936-7329

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080221/0553dd5c/attachment-0001.htm>

More information about the whatwg mailing list