[whatwg] A potential slight security enhancement to postMessage

Jeff Walden jwalden+whatwg at MIT.EDU
Wed Jan 30 18:00:07 PST 2008

I briefly wrote up some documentation on postMessage for the Mozilla Developer Center:


If you pull it up, you'll note two places where I include big, huge, overbearing, somewhat-exaggerating injunctions about first checking the domain/uri/source properties of the received message before trusting the sent data.

Writing those got me thinking: what if we could "enforce" not touching the data before verifying the sender's identity?  Specifically, what if we required that either .domain or .uri be read prior to allowing .data to be successfully accessed, say, without throwing a security error?  (No reason comes to mind for .source to participate in this scheme, either to throw or to allow access to .data, but I haven't given it serious thought.)  This would prevent unknowing misuse of this functionality, and safe uses wouldn't be affected.  I think this would only apply to the event dispatched by postMessage, not to MessageEvent, as the latter is same-origin and there's no harm to a same-origin MessageEvent.

Thoughts?  A no-harm slight increase of the ability to prevent incorrect use of postMessage, or excessive nannying?


More information about the whatwg mailing list