W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2008

[whatwg] postMessage: event.source allows navigation of sender

From: Maciej Stachowiak <mjs@apple.com>
Date: Thu, 7 Feb 2008 03:43:04 -0800
Message-ID: <7C399091-D0E2-4876-A676-8D4E319DDC83@apple.com>

On Feb 7, 2008, at 2:27 AM, Hallvord R M Steen wrote:

>> The source attribute of the message event does not leak any  
>> privileges
>> to the recipient in Internet Explorer, Firefox, and Safari because
>> these browsers do not make this assumption and instead check whether
>> the script is permitted to navigate the frame when the script assigns
>> window.location.
> Adam, I don't quite follow you here because I don't know any IE or
> Safari implementation of window.postMessage. I'm quite sure IE doesn't
> implement it, I  tried googling for Safari and
> postMessage/cross-document messaging but didn't find anything. As far
> as I know only Firefox 3 betas and Opera supports this, so no other
> implementations can be tested.

The current development version of WebKit includes support for cross- 
document messaging. I don't think any publicly available version of IE  
has it. However I think Adam was speaking in the general sense here,  
that getting a window object reference that you couldn't otherwise  
would not leak navigation capability in the named browsers regardless  
of how you get it.

>> Other browsers do not equate having a JavaScript pointer to a frame
>> with the ability to navigate that frame.
> Again if you can back that up with test cases I'd love to see them :-)

I don't have a test case handy for this but I can assure you Safari/ 
WebKit only allows navigating other frames in the following cases:

     // The navigation change is safe if the active frame is:
     //   - in the same security origin as the target or one of the  
target's ancestors
     // Or the target frame is:
     //   - a top-level frame in the frame hierarchy

This test is applied at the time window.location is assigned. If these  
conditions are not met, assigning the location property of another  
frame/window has no effect.

You can probably figure out how to make a test case based on this.

Received on Thursday, 7 February 2008 03:43:04 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:00 UTC