[whatwg] postMessage: event.source allows navigation of sender

On Feb 7, 2008 10:24 AM, Hallvord R M Steen wrote:
> Adam Barth and Collin Jackson pointed out to me that while
> investigating frame navigation policies they found that a recipient of
> a postMessage in Opera can set event.source.location, thus navigate
> the sender window/document. I think this is a bug in the API itself.

If what you say is true (see below) I'd rather say it's a bug in
Opera's implementation.

> This seems to violate the API's promise of safe cross-domain
> communication even with untrusted documents. One can imagine use cases
> where a script in document A has a reference to window B and thus can
> post messages, but window B does not have any to A and would not under
> normal circumstances be able to change A's address.

Shouldn't event.source.location be read-only? Isn't that a direct
application of the same-origin policy?

The current draft contains the following note:
"Implementors are urged to take extra care in the implementation of
this feature. It allows authors to transmit information from one
domain to another domain, which is normally disallowed for security
reasons. It also requires that UAs be careful to allow access to
certain properties but not others."

See also http://www.whatwg.org/specs/web-apps/current-work/multipage/section-history.html#security5

And setting the event.source (Window object)'s location property is
covered by the following paragraph:
"In the ECMAScript DOM binding, the location members of the
HTMLDocument and Window interfaces behave as if they had a setter:
user agents must treats attempts to set these location attribute as
attempts at setting the href attribute of the relevant Location object
instead."
? source: http://www.whatwg.org/specs/web-apps/current-work/multipage/section-history.html#location0

which "invokes" the #security5 above.

-- 
Thomas Broyer

Received on Thursday, 7 February 2008 01:45:53 UTC