- From: <bugzilla@jessica.w3.org>
- Date: Tue, 22 Nov 2011 08:46:28 +0000
- To: public-webapps@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=14900 Summary: note about checking "origin" attribute of MessageEvent Product: WebAppsWG Version: unspecified Platform: PC OS/Version: Windows NT Status: NEW Severity: normal Priority: P2 Component: Server-Sent Events (editor: Ian Hickson) AssignedTo: ian@hixie.ch ReportedBy: vic99999@yandex.ru QAContact: member-webapi-cvs@w3.org CC: mike@w3.org, public-webapps@w3.org http://www.html5rocks.com/en/tutorials/eventsource/basics/#toc-security "Authors should check the origin attribute to ensure that messages are only accepted from domains that they expect to receive messages from. Otherwise, bugs in the author's message handling code could be exploited by hostile sites." That warning is especially relevant for window.postMessage() messages and not so much EventSource and WebSocket and this should be marked in the spec. see http://krijnhoetmer.nl/irc-logs/whatwg/20111122#l-381 -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
Received on Tuesday, 22 November 2011 08:46:34 UTC