[whatwg] postMessage: event.source allows navigation of sender
mjs at apple.com
Thu Feb 7 03:43:04 PST 2008
On Feb 7, 2008, at 2:27 AM, Hallvord R M Steen wrote:
>> The source attribute of the message event does not leak any
>> to the recipient in Internet Explorer, Firefox, and Safari because
>> these browsers do not make this assumption and instead check whether
>> the script is permitted to navigate the frame when the script assigns
> Adam, I don't quite follow you here because I don't know any IE or
> Safari implementation of window.postMessage. I'm quite sure IE doesn't
> implement it, I tried googling for Safari and
> postMessage/cross-document messaging but didn't find anything. As far
> as I know only Firefox 3 betas and Opera supports this, so no other
> implementations can be tested.
The current development version of WebKit includes support for cross-
document messaging. I don't think any publicly available version of IE
has it. However I think Adam was speaking in the general sense here,
that getting a window object reference that you couldn't otherwise
would not leak navigation capability in the named browsers regardless
of how you get it.
>> with the ability to navigate that frame.
> Again if you can back that up with test cases I'd love to see them :-)
I don't have a test case handy for this but I can assure you Safari/
WebKit only allows navigating other frames in the following cases:
// The navigation change is safe if the active frame is:
// - in the same security origin as the target or one of the
// Or the target frame is:
// - a top-level frame in the frame hierarchy
This test is applied at the time window.location is assigned. If these
conditions are not met, assigning the location property of another
frame/window has no effect.
You can probably figure out how to make a test case based on this.
More information about the whatwg