[whatwg] A potential slight security enhancement to postMessage from Collin Jackson on 2008-01-31 (public-whatwg-archive@w3.org from January 2008)

From: Collin Jackson <whatwg@collinjackson.com>
Date: Wed, 30 Jan 2008 19:15:47 -0800
Message-ID: <986207e70801301915i2f49facj98a3663aee744b16@mail.gmail.com>

Here is a suggestion for a backwards-compatible addition to the
postMessage specification:

Currently postMessage is great for sending authenticated messages
between frames. The receiver knows exactly where each message came
from. However, it doesn't provide any confidentiality guarantees. When
you're posting a message to a window, you have no way of knowing who
is listening on the other end, because the same-origin policy prevents
you from reading the domain and URI of that window. The window may
have been showing a page loaded from foo.com the last time you
received a message from it, but it might be displaying content from
bar.com now; if you send it a message, you don't whether the message
will be received by foo.com or bar.com.

For non-security-sensitive messages, like "change your font color to
red", confidentiality might not be needed. However, if the message
you're trying to send contains a password, it would be nice to be able
to specify which domain you're trying to send it to.

The postMessage API could be extended to provide confidentiality by
adding some optional arguments:

void postMessage(in DOMString message, [optional] in DOMString domain,
[optional] in DOMString uri);

If "domain" or "uri" are specified, the browser would only deliver the
message if the recipient's location matches the specified domain and/or
URI. (Being able to specify the URI allows sites to differentiate
between http and https URIs.) If "domain" and "uri" are not defined,
the message would be delivered regardless of who the recipient is,
making this change backwards compatible for sites that aren't aware
of the optional parameters.

For privacy, postMessage should be designed not to reveal the domain
or URI of the receiving window, so if there is a mismatch, the message
should be silently dropped.

Providing the domain and URI for replies should be easy since these
values are already parameters of the event. Here is an example of code
that specifies the expected domain and URI for the recipient:

document.addEventListener('message', receiver, false);
function receiver(e) {
  if (e.domain == 'example.com') {
    if (e.data == 'Hello world') {
      e.source.postMessage('Hello', e.domain, e.uri);
    } else {
      alert(e.data);
    }
  }
}

Received on Wednesday, 30 January 2008 19:15:47 UTC