[whatwg] A potential slight security enhancement to postMessage
Ian Hickson
ian at hixie.ch
Tue Feb 12 15:40:24 PST 2008
On Wed, 30 Jan 2008, Collin Jackson wrote:
>
> Here is a suggestion for a backwards-compatible addition to the
> postMessage specification:
>
> Currently postMessage is great for sending authenticated messages
> between frames. The receiver knows exactly where each message came from.
> However, it doesn't provide any confidentiality guarantees. When you're
> posting a message to a window, you have no way of knowing who is
> listening on the other end, because the same-origin policy prevents you
> from reading the domain and URI of that window. The window may have been
> showing a page loaded from foo.com the last time you received a message
> from it, but it might be displaying content from bar.com now; if you
> send it a message, you don't whether the message will be received by
> foo.com or bar.com.
>
> For non-security-sensitive messages, like "change your font color to
> red", confidentiality might not be needed. However, if the message
> you're trying to send contains a password, it would be nice to be able
> to specify which domain you're trying to send it to.
>
> The postMessage API could be extended to provide confidentiality by
> adding some optional arguments:
>
> void postMessage(in DOMString message, [optional] in DOMString domain,
> [optional] in DOMString uri);
Done, using just 'origin'.
On Fri, 1 Feb 2008, Collin Jackson wrote:
>
> You can try it out here:
> <http://crypto.stanford.edu/websec/post-message/challenge-response/>.
>
> This turned out to be slightly tricky. To send a single message, the
> sender has to first post a message to the recipient. The recipient then
> responds. At this point, during the execution of this callback, the
> domain and uri attributes of the event are accurate and the sender can
> safely send the message. There are a number of gotchas, which we think
> we've handled correctly, but it's hard to be sure. In the end, it would
> be much simpler and less error-prone to write this as a single line of
> code:
>
> frames[0].postMessage(message, "theory.stanford.edu");
You now have to say:
frames[0].postMessage(message, "http://theory.standford.edu");
Note that as defined, this:
frames[0].postMessage(message, "http://example.com/victim");
...will allow messages to be sent to, e.g. "http://example.com/evil".
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list