[whatwg] Fixed a security problem with postMessage()

Jeff Walden jwalden+whatwg at MIT.EDU
Tue Feb 12 12:38:09 PST 2008


Ian Hickson wrote:
>  * message.domain isn't actually enough to verify any security, given that    on shared hosts one IP address can map to several hostnames and thus    people can end up running servers on different ports that respond to    requests from domains they don't own.
>
>  * message.uri can leak information, e.g. if the user's password is in the    query component of the URI.

Good catches on both; I agree these changes make sense.


> I've replaced both with .origin, which is intended to return the scheme://hostname/ or scheme://hostname:port/ (when the port is non-standard) of the origin of the source document.

I assume you meant without the trailing slash, given that that's actually part of the path?


This doesn't sound like it should be too hard to implement, although the manual splicing-out of the username/password from the origin is slightly worrying (if entirely necessary) from a careful-manipulation-is-tricky point of view.  I don't see any other option, tho, on that point.

Jeff



More information about the whatwg mailing list