- From: Hallvord R M Steen <hallvors@gmail.com>
- Date: Thu, 7 Feb 2008 10:24:00 +0100
Adam Barth and Collin Jackson pointed out to me that while
investigating frame navigation policies they found that a recipient of
a postMessage in Opera can set event.source.location, thus navigate
the sender window/document. I think this is a bug in the API itself.
This seems to violate the API's promise of safe cross-domain
communication even with untrusted documents. One can imagine use cases
where a script in document A has a reference to window B and thus can
post messages, but window B does not have any to A and would not under
normal circumstances be able to change A's address.
I think this should be adressed by removing event.source entirely. It
would be weird to disallow setting location on a window object in this
context only. To allow posting replies we could instead define a
function on the event object. Say for example
document.addEventListener( 'message', function(e){
if(e.data=='Hi'){
e.reply('Hello');
}
}, false )
--
Hallvord R. M. Steen
Received on Thursday, 7 February 2008 01:24:00 UTC