W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

[Bug 14900] New: note about checking "origin" attribute of MessageEvent

From: <bugzilla@jessica.w3.org>
Date: Tue, 22 Nov 2011 08:46:28 +0000
To: public-webapps@w3.org
Message-ID: <bug-14900-2927@http.www.w3.org/Bugs/Public/>

           Summary: note about checking "origin" attribute of MessageEvent
           Product: WebAppsWG
           Version: unspecified
          Platform: PC
        OS/Version: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Server-Sent Events (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: vic99999@yandex.ru
         QAContact: member-webapi-cvs@w3.org
                CC: mike@w3.org, public-webapps@w3.org


"Authors should check the origin attribute to ensure that messages are only
accepted from domains that they expect to receive messages from. Otherwise,
bugs in the author's message handling code could be exploited by hostile

That warning is especially relevant for window.postMessage() messages and not
so much EventSource and WebSocket and this should be marked in the spec.

see http://krijnhoetmer.nl/irc-logs/whatwg/20111122#l-381

Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Received on Tuesday, 22 November 2011 08:46:34 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:36 UTC