[whatwg] Small ddition to 220.127.116.11, postMessage's security considerations for authors
ian at hixie.ch
Sun Apr 26 23:16:46 PDT 2009
On Sat, 14 Feb 2009, Jeff Walden wrote:
> The spec should mention that even after MessageEvent.origin's value has
> been checked, MessageEvent.data should also be checked for structural
> correctness, because if the target window contains an XSS hole, improper
> validation of incoming messages could result in the target window's XSS
> hole being propagated into the sender's window as well.
> For example, consider a site A which requests a particular string of
> JSON data from site B, which it then parses into an object using eval().
> If site B is subvertible, the response JSON string may instead be
> arbitrary script which would be executed by site A *as* site A's code.
> Proper validation by site A would mean checking that the sent string
> (Ignore the fact that the site shouldn't be unserializing JSON data
> using eval(), and further ignore that structured data-passing makes this
> particular use obsolescent. Other instances of contamination may be
> possible depending on the sent data and its structure, and this was just
> the simplest example to explain.)
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg