[whatwg] Small ddition to 188.8.131.52, postMessage's security considerations for authors
jwalden+whatwg at MIT.EDU
Sat Feb 14 01:48:53 PST 2009
The spec should mention that even after MessageEvent.origin's value has been checked, MessageEvent.data should also be checked for structural correctness, because if the target window contains an XSS hole, improper validation of incoming messages could result in the target window's XSS hole being propagated into the sender's window as well.
(Ignore the fact that the site shouldn't be unserializing JSON data using eval(), and further ignore that structured data-passing makes this particular use obsolescent. Other instances of contamination may be possible depending on the sent data and its structure, and this was just the simplest example to explain.)
More information about the whatwg