W3C home > Mailing lists > Public > public-html-commits@w3.org > April 2009

html5/spec Overview.html,1.2161,1.2162

From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
Date: Mon, 27 Apr 2009 06:16:51 +0000
To: public-html-commits@w3.org
Message-Id: <E1LyK95-0007OY-9c@lionel-hutz.w3.org>
Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv28412

Modified Files:
	Overview.html 
Log Message:
Warn about not trusting trusted sources in postMessage(). (credit: jw) (whatwg r2999)

Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.2161
retrieving revision 1.2162
diff -u -d -r1.2161 -r1.2162
--- Overview.html	27 Apr 2009 04:11:21 -0000	1.2161
+++ Overview.html	27 Apr 2009 06:16:48 -0000	1.2162
@@ -45584,7 +45584,12 @@
   purposes.<p>Authors should check the <code title="dom-MessageEvent-origin"><a href="#dom-messageevent-origin">origin</a></code> attribute to ensure
   that messages are only accepted from domains that they expect to
   receive messages from. Otherwise, bugs in the author's message
-  handling code could be exploited by hostile sites.<p>Authors should not use the wildcard keyword ("*") in the <var title="">targetOrigin</var> argument in messages that contain any
+  handling code could be exploited by hostile sites.<p>Furthermore, even after checking the <code title="dom-MessageEvent-origin"><a href="#dom-messageevent-origin">origin</a></code> attribute, authors
+  should also check that the data in question is of the expected
+  format. Otherwise, if the source of the event has been attacked
+  using a cross-site scripting flaw, further unchecked processing of
+  information sent using the <code title="dom-window-postMessage-2"><a href="#dom-window-postmessage-2">postMessage()</a></code> method could
+  result in the attack being propagated into the receiver.<p>Authors should not use the wildcard keyword ("*") in the <var title="">targetOrigin</var> argument in messages that contain any
   confidential information, as otherwise there is no way to guarantee
   that the message is only delivered to the recipient to which it was
   intended.<div class="impl">
Received on Monday, 27 April 2009 06:17:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 06:17:04 GMT