Warn about not trusting trusted sources in postMessage(). (credit: jw) (whatwg r2999) from poot on 2009-04-27 (public-html-diffs@w3.org from April 2009)

From: poot <cvsmail@w3.org>
Date: Mon, 27 Apr 2009 15:18:19 +0900 (JST)
To: public-html-diffs@w3.org
Message-Id: <20090427061819.669E82BC2B@toro.w3.mag.keio.ac.jp>

Warn about not trusting trusted sources in postMessage(). (credit: jw)
(whatwg r2999)

7.2.2.1 Authors
http://people.w3.org/mike/diffs/html5/spec/Overview.1.2162.html#authors

http://people.w3.org/mike/diffs/html5/spec/Overview.diff.html
http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.2161&r2=1.2162&f=h
http://html5.org/tools/web-apps-tracker?from=2998&to=2999

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.2161
retrieving revision 1.2162
diff -u -d -r1.2161 -r1.2162
--- Overview.html 27 Apr 2009 04:11:21 -0000 1.2161
+++ Overview.html 27 Apr 2009 06:16:48 -0000 1.2162
@@ -45584,7 +45584,12 @@
   purposes.<p>Authors should check the <code title="dom-MessageEvent-origin"><a href="#dom-messageevent-origin">origin</a></code> attribute to ensure
   that messages are only accepted from domains that they expect to
   receive messages from. Otherwise, bugs in the author's message
-  handling code could be exploited by hostile sites.<p>Authors should not use the wildcard keyword ("*") in the <var title="">targetOrigin</var> argument in messages that contain any
+  handling code could be exploited by hostile sites.<p>Furthermore, even after checking the <code title="dom-MessageEvent-origin"><a href="#dom-messageevent-origin">origin</a></code> attribute, authors
+  should also check that the data in question is of the expected
+  format. Otherwise, if the source of the event has been attacked
+  using a cross-site scripting flaw, further unchecked processing of
+  information sent using the <code title="dom-window-postMessage-2"><a href="#dom-window-postmessage-2">postMessage()</a></code> method could
+  result in the attack being propagated into the receiver.<p>Authors should not use the wildcard keyword ("*") in the <var title="">targetOrigin</var> argument in messages that contain any
   confidential information, as otherwise there is no way to guarantee
   that the message is only delivered to the recipient to which it was
   intended.<div class="impl">

Received on Monday, 27 April 2009 06:18:56 UTC