- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Mon, 19 Dec 2011 00:19:30 -0800
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: public-web-security@w3.org
Hi > I don't recall any discussions about it. Since postMessage() can > already be used safely I'm not feeling a burning need for it, but > maybe you can convince us. The paper I linked demonstrates actual vulnerabilities that Facebook connect had a while back. IIRC, another example in the paper was an exchange where the postMessage origin was checked in the first exchange and a 'secret' key set up. Subsequent interactions were checked using the 'secret' key; but since JavaScript's PRNG is not cryptographically secure MITMing the communication was trivial. XSS free applications are also possible. But a pain without CSP. So is using postMessage correctly (although using postMessage correctly is way more easier than an XSS free app). > If developers aren't remembering to use the security features that > already exist would they think to add it to a content security policy? > I imagine the CSP policy can be written by someone else. Currently, it is the case that every postMessage handler needs a security review to ensure that the origin is correctly checked (e.g., subtle bugs like maybe someone forgot to check that the scheme is https and not http, or the regex for checking origin is broken .*trusted\.com instead of .*\.trusted\.com). This is annoying. thanks devdatta
Received on Monday, 19 December 2011 10:58:32 UTC