[whatwg] Fixed a security problem with postMessage()
Jeff Walden
jwalden+whatwg at MIT.EDU
Tue Feb 12 12:38:09 PST 2008
Ian Hickson wrote:
> * message.domain isn't actually enough to verify any security, given that on shared hosts one IP address can map to several hostnames and thus people can end up running servers on different ports that respond to requests from domains they don't own.
>
> * message.uri can leak information, e.g. if the user's password is in the query component of the URI.
Good catches on both; I agree these changes make sense.
> I've replaced both with .origin, which is intended to return the scheme://hostname/ or scheme://hostname:port/ (when the port is non-standard) of the origin of the source document.
I assume you meant without the trailing slash, given that that's actually part of the path?
This doesn't sound like it should be too hard to implement, although the manual splicing-out of the username/password from the origin is slightly worrying (if entirely necessary) from a careful-manipulation-is-tricky point of view. I don't see any other option, tho, on that point.
Jeff
More information about the whatwg
mailing list