W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2008

[whatwg] Fixed a security problem with postMessage()

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 12 Feb 2008 20:03:46 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0802121958120.20115@hixie.dreamhostps.com>

While going through the feedback for postMessage(), I noticed a couple of 
security problems that nobody had raised:

 * message.domain isn't actually enough to verify any security, given that 
   on shared hosts one IP address can map to several hostnames and thus 
   people can end up running servers on different ports that respond to 
   requests from domains they don't own.

 * message.uri can leak information, e.g. if the user's password is in the 
   query component of the URI.

Basically, .domain is too little, and .uri is too much.

I've replaced both with .origin, which is intended to return the 
scheme://hostname/ or scheme://hostname:port/ (when the port is 
non-standard) of the origin of the source document.

It's still vague for data: URIs, etc; I have outstanding feedback on that 
matter and will address that when I respond to that feedback.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 12 February 2008 12:03:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:39 UTC