[whatwg] postMessage: event.source allows navigation of sender

[Maciej Stachowiak]

On Feb 7, 2008, at 2:27 AM, Hallvord R M Steen wrote:

>>>
>> The source attribute of the message event does not leak any  
>> privileges
>> to the recipient in Internet Explorer, Firefox, and Safari because
>> these browsers do not make this assumption and instead check whether
>> the script is permitted to navigate the frame when the script assigns
>> window.location.
>
> Adam, I don't quite follow you here because I don't know any IE or
> Safari implementation of window.postMessage. I'm quite sure IE doesn't
> implement it, I  tried googling for Safari and
> postMessage/cross-document messaging but didn't find anything. As far
> as I know only Firefox 3 betas and Opera supports this, so no other
> implementations can be tested.

The current development version of WebKit includes support for cross- 
document messaging. I don't think any publicly available version of IE  
has it. However I think Adam was speaking in the general sense here,  
that getting a window object reference that you couldn't otherwise  
would not leak navigation capability in the named browsers regardless  
of how you get it.

>
>> Other browsers do not equate having a JavaScript pointer to a frame
>> with the ability to navigate that frame.
>
> Again if you can back that up with test cases I'd love to see them :-)

I don't have a test case handy for this but I can assure you Safari/ 
WebKit only allows navigating other frames in the following cases:

     // The navigation change is safe if the active frame is:
     //   - in the same security origin as the target or one of the  
target's ancestors
     // Or the target frame is:
     //   - a top-level frame in the frame hierarchy

This test is applied at the time window.location is assigned. If these  
conditions are not met, assigning the location property of another  
frame/window has no effect.

You can probably figure out how to make a test case based on this.

Regards,
Maciej