[whatwg] A potential slight security enhancement to postMessage

Maciej Stachowiak mjs at apple.com
Wed Jan 30 18:11:06 PST 2008


On Jan 30, 2008, at 6:00 PM, Jeff Walden wrote:

> I briefly wrote up some documentation on postMessage for the Mozilla  
> Developer Center:
>
> http://developer.mozilla.org/en/docs/DOM:window.postMessage
>
> If you pull it up, you'll note two places where I include big, huge,  
> overbearing, somewhat-exaggerating injunctions about first checking  
> the domain/uri/source properties of the received message before  
> trusting the sent data.
>
> Writing those got me thinking: what if we could "enforce" not  
> touching the data before verifying the sender's identity?   
> Specifically, what if we required that either .domain or .uri be  
> read prior to allowing .data to be successfully accessed, say,  
> without throwing a security error?  (No reason comes to mind  
> for .source to participate in this scheme, either to throw or to  
> allow access to .data, but I haven't given it serious thought.)   
> This would prevent unknowing misuse of this functionality, and safe  
> uses wouldn't be affected.  I think this would only apply to the  
> event dispatched by postMessage, not to MessageEvent, as the latter  
> is same-origin and there's no harm to a same-origin MessageEvent.
>
> Thoughts?  A no-harm slight increase of the ability to prevent  
> incorrect use of postMessage, or excessive nannying?

The more convenient version of that would be to require clients to  
describe allowed senders when registering for the event in some way.  
That would seem more like a convenience and less like a hoop to jump  
through.

Regards,
Maciej




More information about the whatwg mailing list