- From: Adam Barth <hk9565@gmail.com>
- Date: Thu, 7 Feb 2008 02:01:16 -0800
Hallvord, On Feb 7, 2008 1:24 AM, Hallvord R M Steen <hallvors at gmail.com> wrote: > Adam Barth and Collin Jackson pointed out to me that while > investigating frame navigation policies they found that a recipient of > a postMessage in Opera can set event.source.location, thus navigate > the sender window/document. I think this is a bug in the API itself. When one frame posts a message to another frame, the recipient frame obtains a pointer to the sender frame as the "source" attribute of the message event. In Opera, this leaks the capability to navigate the sender's frame to the recipient because Opera assumes that if a script has a JavaScript pointer to a frame then that script is permitted to navigate that frame. The source attribute of the message event does not leak any privileges to the recipient in Internet Explorer, Firefox, and Safari because these browsers do not make this assumption and instead check whether the script is permitted to navigate the frame when the script assigns window.location. In Opera, it is difficult to obtain a JavaScript pointer to a frame because Opera prevents scripts from reading window.frames[i] across domains. Internet Explorer, Firefox, and Safari all allow scripts to read window.frames[i] across domains. > This seems to violate the API's promise of safe cross-domain > communication even with untrusted documents. One can imagine use cases > where a script in document A has a reference to window B and thus can > post messages, but window B does not have any to A and would not under > normal circumstances be able to change A's address. Other browsers do not equate having a JavaScript pointer to a frame with the ability to navigate that frame. > I think this should be adressed by removing event.source entirely. Another way to resolve the issue is for Opera to match the other browsers and check whether a script is permitted to navigate a frame when that scripts assigns the frame's location. On Feb 7, 2008 1:45 AM, Thomas Broyer <t.broyer at gmail.com> wrote: > Shouldn't event.source.location be read-only? Isn't that a direct > application of the same-origin policy? Internet Explorer, Firefox, Safari, and Opera all permit a script to write window.location across domains. This action is interpreted as a request to navigate the frame. The browser's frame navigation policy determines whether this navigation is permitted. Adam
Received on Thursday, 7 February 2008 02:01:16 UTC