- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 2 Aug 2011 14:07:24 +0200
- To: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
- Cc: Thomas Roessler <tlr@w3.org>, public-html-comments@w3.org, public-webapps WG <public-webapps@w3.org>, Giles Hogben <Giles.Hogben@enisa.europa.eu>, Lieven Desmet <Lieven.Desmet@cs.kuleuven.be>
Adding the Web Apps WG (list: public-webapps@w3.org) which has responsibility for the Web Messaging spec. -- Thomas Roessler, W3C <tlr@w3.org> (@roessler) On Aug 2, 2011, at 08:30 , Philippe De Ryck wrote: > The following comment contains detailed information about an issue that > was discovered during a recent security analysis of 13 next generation > web standards, organized by ENISA (European Network and Information > Security Agency), and performed by the DistriNet Research Group (K.U. > Leuven, Belgium). > > The complete report is available at http://www.enisa.europa.eu/html5 > (*), and contains information about the process, the discovered > vulnerabilities and recommendations towards improving overall security > in the studied specifications. > > Summary > --------- > > The specification uses the origin of the script's document for checks, > except in step 9 of the algorithm to post a message. > > Based on: HTML5 Web Messaging, 7 July 2011 > Relevant Sections: 4.3. Posting Messages > > Issue > ------- > > Throughout the specification, the origin of the script's document is > used. In section 4.3, step 9 of the algorithm, the origin attribute is > set to the "origin of the script that invoked the method". This should > probably be the "origin of the document of the script that ...", to > handle cases of domain relaxation (using document.domain). This is also > how it is currently implemented (tested in Firefox and Chrome) > > > Recommended Solution > ---------------------- > > Update step 9 of the specification to the following (addition marked by > --> <--): > > Create an event that uses the MessageEvent interface, with the event > name message, which does not bubble, is not cancelable, and has no > default action. The data attribute must be set to the value of message > clone, the origin attribute must be set to the Unicode serialization of > the origin of --> document containing <-- the script that invoked the > method, the source attribute must be set to the script's global object's > WindowProxy object, and the ports attribute must be set to the new ports > array. > > > > (*) HTML version of the report is available as well: > https://distrinet.cs.kuleuven.be/projects/HTML5-security/ > > -- > Philippe De Ryck > K.U.Leuven, Dept. of Computer Science > > > Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm >
Received on Tuesday, 2 August 2011 12:07:34 UTC