W3C home > Mailing lists > Public > public-web-security@w3.org > December 2011

Re: CSP and PostMessage?

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 19 Dec 2011 00:19:30 -0800
Message-ID: <CAPfop_3tf-MM6KWK8=JRv+-AMoAi13qZLRDThk8+3_gzsN0Jwg@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: public-web-security@w3.org
Hi

> I don't recall any discussions about it. Since postMessage() can
> already be used safely I'm not feeling a burning need for it, but
> maybe you can convince us.

The paper I linked demonstrates actual vulnerabilities that Facebook
connect had a while back. IIRC, another example in the paper was an
exchange where the postMessage origin was checked in the first
exchange and a 'secret' key set up. Subsequent interactions were
checked using the 'secret' key; but since JavaScript's PRNG is not
cryptographically secure MITMing the communication was trivial.

XSS free applications are also possible. But a pain without CSP. So is
using postMessage correctly (although using postMessage correctly is
way more easier than an XSS free app).

> If developers aren't remembering to use the security features that
> already exist would they think to add it to a content security policy?
>

I imagine the CSP policy can be written by someone else. Currently, it
is the case that every postMessage handler needs a security review to
ensure that the origin is correctly checked (e.g., subtle bugs like
maybe someone forgot to check that the scheme is https and not http,
or the regex for checking origin is broken .*trusted\.com instead of
.*\.trusted\.com). This is annoying.


thanks
devdatta
Received on Monday, 19 December 2011 10:58:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 19 December 2011 10:58:32 GMT