[whatwg] A potential slight security enhancement to postMessage

Jeff Walden jwalden+whatwg at MIT.EDU
Thu Jan 31 04:25:31 PST 2008

Maciej Stachowiak wrote:
> The more convenient version of that would be to require clients to 
> describe allowed senders when registering for the event in some way. 

I thought about this, but then we necessarily lose the familiarity of the standard event-listener registration process, which outweighs the convenience in my book.  Also, I half-think my suggestion is over-paranoia, and I don't give it enough credence to consider inventing a listener-registration process.

> That would seem more like a convenience and less like a hoop to jump 
> through.

The key, tho, is that this really isn't a hoop to jump through.  Excluding toy "public message board" demos, can you describe a use case for postMessage where it is not necessary to know the identity of the sender?  To know the identity you have to check domain or uri, and there's no reason not to do that before getting the sent data.

I also see a message to this list from Collin Jackson which *should* have arrived in my inbox hours ago but hasn't, and I don't see it in my spam folder.  I'm going to give it another half-day or so to appear, and at that point I'll do my best to respond without destroying the threading too much.  The ideas suggested there are at first glance orthogonal to my original suggestion, and I also need time to fully formulate a response.


More information about the whatwg mailing list