[whatwg] Fixed a security problem with postMessage()

Ian Hickson ian at hixie.ch
Tue Feb 12 12:03:46 PST 2008

While going through the feedback for postMessage(), I noticed a couple of 
security problems that nobody had raised:

 * message.domain isn't actually enough to verify any security, given that 
   on shared hosts one IP address can map to several hostnames and thus 
   people can end up running servers on different ports that respond to 
   requests from domains they don't own.

 * message.uri can leak information, e.g. if the user's password is in the 
   query component of the URI.

Basically, .domain is too little, and .uri is too much.

I've replaced both with .origin, which is intended to return the 
scheme://hostname/ or scheme://hostname:port/ (when the port is 
non-standard) of the origin of the source document.

It's still vague for data: URIs, etc; I have outstanding feedback on that 
matter and will address that when I respond to that feedback.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list