- From: <bugzilla@jessica.w3.org>
- Date: Wed, 03 Aug 2011 05:54:15 +0000
- To: public-html@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=13588 Summary: [web messaging] Erroneous origin check in algorithm Product: HTML WG Version: unspecified Platform: Other URL: http://www.w3.org/mid/1312266627.13091.4.camel@papyrus OS/Version: All Status: NEW Severity: normal Priority: P3 Component: HTML5 spec (editor: Ian Hickson) AssignedTo: ian@hixie.ch ReportedBy: mike+html-wg-mailbot@w3.org QAContact: public-html-bugzilla@w3.org CC: mike@w3.org, public-html-wg-issue-tracking@w3.org, public-html@w3.org public-html-comments posting from: Philippe De Ryck <philippe.deryck@cs.kuleuven.be> http://www.w3.org/mid/1312266627.13091.4.camel@papyrus The following comment contains detailed information about an issue that was discovered during a recent security analysis of 13 next generation web standards, organized by ENISA (European Network and Information Security Agency), and performed by the DistriNet Research Group (K.U. Leuven, Belgium). The complete report is available at http://www.enisa.europa.eu/html5 (*), and contains information about the process, the discovered vulnerabilities and recommendations towards improving overall security in the studied specifications. Summary --------- The specification uses the origin of the script's document for checks, except in step 9 of the algorithm to post a message. Based on: HTML5 Web Messaging, 7 July 2011 Relevant Sections: 4.3. Posting Messages Issue ------- Throughout the specification, the origin of the script's document is used. In section 4.3, step 9 of the algorithm, the origin attribute is set to the "origin of the script that invoked the method". This should probably be the "origin of the document of the script that ...", to handle cases of domain relaxation (using document.domain). This is also how it is currently implemented (tested in Firefox and Chrome) Recommended Solution ---------------------- Update step 9 of the specification to the following (addition marked by --> <--): Create an event that uses the MessageEvent interface, with the event name message, which does not bubble, is not cancelable, and has no default action. The data attribute must be set to the value of message clone, the origin attribute must be set to the Unicode serialization of the origin of --> document containing <-- the script that invoked the method, the source attribute must be set to the script's global object's WindowProxy object, and the ports attribute must be set to the new ports array. (*) HTML version of the report is available as well: https://distrinet.cs.kuleuven.be/projects/HTML5-security/ -- Philippe De Ryck K.U.Leuven, Dept. of Computer Science Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
Received on Wednesday, 3 August 2011 05:54:16 UTC