[Bug 14900] New: note about checking "origin" attribute of MessageEvent from bugzilla@jessica.w3.org on 2011-11-22 (public-webapps@w3.org from October to December 2011)

From: <bugzilla@jessica.w3.org>
Date: Tue, 22 Nov 2011 08:46:28 +0000
To: public-webapps@w3.org
Message-ID: <bug-14900-2927@http.www.w3.org/Bugs/Public/>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=14900

           Summary: note about checking "origin" attribute of MessageEvent
           Product: WebAppsWG
           Version: unspecified
          Platform: PC
        OS/Version: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Server-Sent Events (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: vic99999@yandex.ru
         QAContact: member-webapi-cvs@w3.org
                CC: mike@w3.org, public-webapps@w3.org


http://www.html5rocks.com/en/tutorials/eventsource/basics/#toc-security

"Authors should check the origin attribute to ensure that messages are only
accepted from domains that they expect to receive messages from. Otherwise,
bugs in the author's message handling code could be exploited by hostile
sites."

That warning is especially relevant for window.postMessage() messages and not
so much EventSource and WebSocket and this should be marked in the spec.

see http://krijnhoetmer.nl/irc-logs/whatwg/20111122#l-381

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Received on Tuesday, 22 November 2011 08:46:34 UTC