- From: Hallvord R M Steen <hallvors@gmail.com>
- Date: Thu, 7 Feb 2008 13:32:55 +0100
> > > Opera assumes that if a script > > > has a JavaScript pointer to a frame then that script is permitted to > > > navigate that frame. > > > > This is actually per the spec and required for web compatibility > Here is a test case: > > http://crypto.stanford.edu/~abarth/research/html5/sibling/ Ah sorry, I see what you mean. Haven't let all the implications of your ancestor policy research sink in yet. You are perfectly right that Opera's security policy here relies on disallowing getting the window object rather than setting location. Implementing the ancestore policy takes care of most of the scenarios I can think of where you may want to post messages to a window that should not be allowed to change your location. One case I'm still somewhat concerned about is that one is allowed to set the location of any top-level window according to the ancestor policy, so calling postMessage on untrusted windows from your top window is still somewhat dangerous. That's something we have to allow for web compatibility and for this reason I still think removing event.source from the message event interface would be a good idea. For example, consider w=window.open(); w.opener = null; w.location = 'http://untrusted.example.org' w.postMessage( '...' ); Untrusted content now gets a window reference it would not otherwise have, and will be allowed to set location if this scripts runs in the top context of the opener. -- Hallvord R. M. Steen
Received on Thursday, 7 February 2008 04:32:55 UTC