W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2008

[whatwg] postMessage: event.source allows navigation of sender

From: Hallvord R M Steen <hallvors@gmail.com>
Date: Thu, 7 Feb 2008 10:24:00 +0100
Message-ID: <dd4c8a40802070124r166ce1e6ldf99e0f24ce05bf7@mail.gmail.com>
Adam Barth and Collin Jackson pointed out to me that while
investigating frame navigation policies they found that a recipient of
a postMessage in Opera can set event.source.location, thus navigate
the sender window/document. I think this is a bug in the API itself.

This seems to violate the API's promise of safe cross-domain
communication even with untrusted documents. One can imagine use cases
where a script in document A has a reference to window B and thus can
post messages, but window B does not have any to A and would not under
normal circumstances be able to change A's address.

I think this should be adressed by removing event.source entirely. It
would be weird to disallow setting location on a window object in this
context only. To allow posting replies we could instead define a
function on the event object. Say for example

document.addEventListener(  'message', function(e){
}, false  )

Hallvord R. M. Steen
Received on Thursday, 7 February 2008 01:24:00 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:00 UTC