Re: [web messaging] Erroneous origin check in algorithm

Adding the Web Apps WG (list: public-webapps@w3.org) which has responsibility for the Web Messaging spec.
--
Thomas Roessler, W3C  <tlr@w3.org>  (@roessler)







On Aug 2, 2011, at 08:30 , Philippe De Ryck wrote:

> The following comment contains detailed information about an issue that
> was discovered during a recent security analysis of 13 next generation
> web standards, organized by ENISA (European Network and Information
> Security Agency), and performed by the DistriNet Research Group (K.U.
> Leuven, Belgium).
> 
> The complete report is available at http://www.enisa.europa.eu/html5
> (*), and contains information about the process, the discovered
> vulnerabilities and recommendations towards improving overall security
> in the studied specifications.
> 
> Summary 
> ---------
> 
> The specification uses the origin of the script's document for checks,
> except in step 9 of the algorithm to post a message.
> 
> Based on: HTML5 Web Messaging, 7 July 2011
> Relevant Sections: 4.3. Posting Messages
> 
> Issue
> -------
> 
> Throughout the specification, the origin of the script's document is
> used. In section 4.3, step 9 of the algorithm, the origin attribute is
> set to the "origin of the script that invoked the method". This should
> probably be the "origin of the document of the script that ...", to
> handle cases of domain relaxation (using document.domain). This is also
> how it is currently implemented (tested in Firefox and Chrome)
> 
> 
> Recommended Solution
> ----------------------
> 
> Update step 9 of the specification to the following (addition marked by
> --> <--): 
> 
> Create an event that uses the MessageEvent interface, with the event
> name message, which does not bubble, is not cancelable, and has no
> default action. The data attribute must be set to the value of message
> clone, the origin attribute must be set to the Unicode serialization of
> the origin of --> document containing <-- the script that invoked the
> method, the source attribute must be set to the script's global object's
> WindowProxy object, and the ports attribute must be set to the new ports
> array.
> 
> 
> 
> (*) HTML version of the report is available as well:
> https://distrinet.cs.kuleuven.be/projects/HTML5-security/
> 
> -- 
> Philippe De Ryck
> K.U.Leuven, Dept. of Computer Science
> 
> 
> Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
> 

Received on Tuesday, 2 August 2011 12:07:34 UTC