W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2011

[whatwg] Fixing two security vulnerabilities in registerProtocolHandler

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 26 Sep 2011 14:48:18 -0400
Message-ID: <4E80C8F2.3080309@mit.edu>
On 9/26/11 2:09 PM, Tyler Close wrote:
> AFAICT, there is no API that the intent handler can
> reliably use to determine the correct targetOrigin for this
> postMessage invocation.

That's correct, though as long as you don't use too much in the way of 
about:blank or javascript: or data: URIs, passing window.location.href 
will do the right thing.

> I suggest fixing this problem by adding a new
> readonly DOMString that contains the correct origin for the
> postMessage invocation; perhaps document.origin.

I would be somewhat in favor of this.

-Boris
Received on Monday, 26 September 2011 11:48:18 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:36 UTC