- From: Thomas Broyer <t.broyer@gmail.com>
- Date: Thu, 7 Feb 2008 10:45:53 +0100
On Feb 7, 2008 10:24 AM, Hallvord R M Steen wrote: > Adam Barth and Collin Jackson pointed out to me that while > investigating frame navigation policies they found that a recipient of > a postMessage in Opera can set event.source.location, thus navigate > the sender window/document. I think this is a bug in the API itself. If what you say is true (see below) I'd rather say it's a bug in Opera's implementation. > This seems to violate the API's promise of safe cross-domain > communication even with untrusted documents. One can imagine use cases > where a script in document A has a reference to window B and thus can > post messages, but window B does not have any to A and would not under > normal circumstances be able to change A's address. Shouldn't event.source.location be read-only? Isn't that a direct application of the same-origin policy? The current draft contains the following note: "Implementors are urged to take extra care in the implementation of this feature. It allows authors to transmit information from one domain to another domain, which is normally disallowed for security reasons. It also requires that UAs be careful to allow access to certain properties but not others." See also http://www.whatwg.org/specs/web-apps/current-work/multipage/section-history.html#security5 And setting the event.source (Window object)'s location property is covered by the following paragraph: "In the ECMAScript DOM binding, the location members of the HTMLDocument and Window interfaces behave as if they had a setter: user agents must treats attempts to set these location attribute as attempts at setting the href attribute of the relevant Location object instead." ? source: http://www.whatwg.org/specs/web-apps/current-work/multipage/section-history.html#location0 which "invokes" the #security5 above. -- Thomas Broyer
Received on Thursday, 7 February 2008 01:45:53 UTC