[whatwg] A potential slight security enhancement to postMessage from Ian Hickson on 2008-02-12 (public-whatwg-archive@w3.org from February 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 12 Feb 2008 23:40:24 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0802122301170.20115@hixie.dreamhostps.com>

On Wed, 30 Jan 2008, Collin Jackson wrote:
>
> Here is a suggestion for a backwards-compatible addition to the 
> postMessage specification:
> 
> Currently postMessage is great for sending authenticated messages 
> between frames. The receiver knows exactly where each message came from. 
> However, it doesn't provide any confidentiality guarantees. When you're 
> posting a message to a window, you have no way of knowing who is 
> listening on the other end, because the same-origin policy prevents you 
> from reading the domain and URI of that window. The window may have been 
> showing a page loaded from foo.com the last time you received a message 
> from it, but it might be displaying content from bar.com now; if you 
> send it a message, you don't whether the message will be received by 
> foo.com or bar.com.
> 
> For non-security-sensitive messages, like "change your font color to 
> red", confidentiality might not be needed. However, if the message 
> you're trying to send contains a password, it would be nice to be able 
> to specify which domain you're trying to send it to.
> 
> The postMessage API could be extended to provide confidentiality by 
> adding some optional arguments:
> 
> void postMessage(in DOMString message, [optional] in DOMString domain, 
> [optional] in DOMString uri);

Done, using just 'origin'.


On Fri, 1 Feb 2008, Collin Jackson wrote:
> 
> You can try it out here: 
> <http://crypto.stanford.edu/websec/post-message/challenge-response/>.
> 
> This turned out to be slightly tricky. To send a single message, the 
> sender has to first post a message to the recipient. The recipient then 
> responds. At this point, during the execution of this callback, the 
> domain and uri attributes of the event are accurate and the sender can 
> safely send the message. There are a number of gotchas, which we think 
> we've handled correctly, but it's hard to be sure. In the end, it would 
> be much simpler and less error-prone to write this as a single line of 
> code:
> 
> frames[0].postMessage(message, "theory.stanford.edu");

You now have to say:

   frames[0].postMessage(message, "http://theory.standford.edu");


Note that as defined, this:

   frames[0].postMessage(message, "http://example.com/victim");

...will allow messages to be sent to, e.g. "http://example.com/evil".

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Tuesday, 12 February 2008 15:40:24 UTC