[whatwg] Fixing two security vulnerabilities in registerProtocolHandler

On Mon, Sep 26, 2011 at 11:09 AM, Tyler Close <tyler.close at gmail.com> wrote:
> The second problem with RPH is that the handler page doesn't have a
> way of reliably getting the URL of the content to be handled from the
> browser. In order to work in offline scenarios, the RPH handler must
> put the %s placeholder in the fragment of its handler's URL.
> Unfortunately, this means that other content in the browser could
> modify the content URL before the handler reads it.

Just to clarify, the problem here is the well-known message integrity
problem with using window.location.hash for cross-domain messaging.
Since window.location.hash can be written to by content from many
other origins, the RPH handler can't rely on the window.location.hash
containing the content URL specified by the RPH client. Putting a copy
of the content URL in window.navigator.action solves this problem.

--Tyler

Received on Tuesday, 27 September 2011 12:27:41 UTC