[whatwg] postMessage: event.source allows navigation of sender from Adam Barth on 2008-02-07 (public-whatwg-archive@w3.org from February 2008)

From: Adam Barth <hk9565@gmail.com>
Date: Thu, 7 Feb 2008 02:01:16 -0800
Message-ID: <7789133a0802070201l172745dcid8a4fc3280d1ce48@mail.gmail.com>

Hallvord,

On Feb 7, 2008 1:24 AM, Hallvord R M Steen <hallvors at gmail.com> wrote:
> Adam Barth and Collin Jackson pointed out to me that while
> investigating frame navigation policies they found that a recipient of
> a postMessage in Opera can set event.source.location, thus navigate
> the sender window/document. I think this is a bug in the API itself.

When one frame posts a message to another frame, the recipient frame
obtains a pointer to the sender frame as the "source" attribute of the
message event.  In Opera, this leaks the capability to navigate the
sender's frame to the recipient because Opera assumes that if a script
has a JavaScript pointer to a frame then that script is permitted to
navigate that frame.

The source attribute of the message event does not leak any privileges
to the recipient in Internet Explorer, Firefox, and Safari because
these browsers do not make this assumption and instead check whether
the script is permitted to navigate the frame when the script assigns
window.location.

In Opera, it is difficult to obtain a JavaScript pointer to a frame
because Opera prevents scripts from reading window.frames[i] across
domains.  Internet Explorer, Firefox, and Safari all allow scripts to
read window.frames[i] across domains.

> This seems to violate the API's promise of safe cross-domain
> communication even with untrusted documents. One can imagine use cases
> where a script in document A has a reference to window B and thus can
> post messages, but window B does not have any to A and would not under
> normal circumstances be able to change A's address.

Other browsers do not equate having a JavaScript pointer to a frame
with the ability to navigate that frame.

> I think this should be adressed by removing event.source entirely.

Another way to resolve the issue is for Opera to match the other
browsers and check whether a script is permitted to navigate a frame
when that scripts assigns the frame's location.

On Feb 7, 2008 1:45 AM, Thomas Broyer <t.broyer at gmail.com> wrote:
> Shouldn't event.source.location be read-only? Isn't that a direct
> application of the same-origin policy?

Internet Explorer, Firefox, Safari, and Opera all permit a script to
write window.location across domains.  This action is interpreted as a
request to navigate the frame.  The browser's frame navigation policy
determines whether this navigation is permitted.

Adam

Received on Thursday, 7 February 2008 02:01:16 UTC