W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2008

[whatwg] Fixed a security problem with postMessage()

From: Jeff Walden <jwalden+whatwg@MIT.EDU>
Date: Tue, 12 Feb 2008 15:38:09 -0500
Message-ID: <47B203B1.6010800@mit.edu>
Ian Hickson wrote:
>  * message.domain isn't actually enough to verify any security, given that    on shared hosts one IP address can map to several hostnames and thus    people can end up running servers on different ports that respond to    requests from domains they don't own.
>
>  * message.uri can leak information, e.g. if the user's password is in the    query component of the URI.

Good catches on both; I agree these changes make sense.


> I've replaced both with .origin, which is intended to return the scheme://hostname/ or scheme://hostname:port/ (when the port is non-standard) of the origin of the source document.

I assume you meant without the trailing slash, given that that's actually part of the path?


This doesn't sound like it should be too hard to implement, although the manual splicing-out of the username/password from the origin is slightly worrying (if entirely necessary) from a careful-manipulation-is-tricky point of view.  I don't see any other option, tho, on that point.

Jeff
Received on Tuesday, 12 February 2008 12:38:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:39 UTC