[whatwg] A potential slight security enhancement to postMessage

On Feb 1, 2008 8:18 PM, Jeff Walden <jwalden+whatwg at mit.edu> wrote:
> > Currently postMessage is great for sending authenticated messages
> > between frames. The receiver knows exactly where each message came
> > from. However, it doesn't provide any confidentiality guarantees. When
> > you're posting a message to a window, you have no way of knowing who
> > is listening on the other end, because the same-origin policy prevents
> > you from reading the domain and URI of that window. The window may
> > have been showing a page loaded from foo.com the last time you
> > received a message from it, but it might be displaying content from
> > bar.com now; if you send it a message, you don't whether the message
> > will be received by foo.com or bar.com.
>
> I noted in IRC discussion that postMessage being sync allows a
> challenge-response protocol to be safely used here, and you can determine
> the target's identification using domain/uri on the responding message;
> counterresponse was that's somewhat complicated.  Fair enough; I'm not
> sure if super-security is the main use case for this feature or not (lightweight
> collaboration seems more likely to me, but I don't really know), so I'm
> hesitant to comment too much on it.

You could implement confidentiality on top of the original synchronous
postMessage using a wrapper that performs challenge-response. Adam and
I implemented this as a 48-line JavaScript library.

You can try it out here:
<http://crypto.stanford.edu/websec/post-message/challenge-response/>.

This turned out to be slightly tricky. To send a single message, the
sender has to first post a message to the recipient. The recipient
then responds. At this point, during the execution of this callback,
the domain and uri attributes of the event are accurate and the sender
can safely send the message. There are a number of gotchas, which we
think we've handled correctly, but it's hard to be sure. In the end,
it would be much simpler and less error-prone to write this as a
single line of code:

frames[0].postMessage(message, "theory.stanford.edu");

Collin Jackson

Received on Friday, 1 February 2008 21:54:24 UTC