[whatwg] Small ddition to, postMessage's security considerations for authors

Ian Hickson ian at hixie.ch
Sun Apr 26 23:16:46 PDT 2009

On Sat, 14 Feb 2009, Jeff Walden wrote:
> The spec should mention that even after MessageEvent.origin's value has 
> been checked, MessageEvent.data should also be checked for structural 
> correctness, because if the target window contains an XSS hole, improper 
> validation of incoming messages could result in the target window's XSS 
> hole being propagated into the sender's window as well.
> For example, consider a site A which requests a particular string of 
> JSON data from site B, which it then parses into an object using eval().  
> If site B is subvertible, the response JSON string may instead be 
> arbitrary script which would be executed by site A *as* site A's code.  
> Proper validation by site A would mean checking that the sent string 
> actually is JSON and not arbitrary syntactically-correct JavaScript.
> (Ignore the fact that the site shouldn't be unserializing JSON data 
> using eval(), and further ignore that structured data-passing makes this 
> particular use obsolescent.  Other instances of contamination may be 
> possible depending on the sent data and its structure, and this was just 
> the simplest example to explain.)


Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list