Hi Jordona, That's what I understood. My problem is that doing window.opener.postMessage(result, "*") [1] is a possible security threat IMO .
Someone could use my oauth client_id to use the api on my behalf and the users authorizations that come along. For example, if the contact app in gaia didn't retrict the postMessage to 'app://communications.gaiamobile.org' [2], I suppose could do this : * Use the mozilla client_id found here [3] * Create a webapp which open a new window to the same oauth provider that the contact app (with exactly the same params) * If the user hasn't already accepted the Mozilla app, the Oauth provider will ask "Do you authorize Mozilla to access to your data ?" * If the user click "Yes" or if he has already authorized the app, The OAuth provider will redirect to the mozilla server which will passe the tokens to window.opener, the malicious app, without restriction. * Use the tokens to access user contacts. I don't have a lot of experience with oauth, I am maybe missing something, but I am stuck for the moment. Cheers [1] https://github.com/arcturus/postmessageitor/blob/master/postmessage.html#L20 [2] https://github.com/mozilla-b2g/gaia/blob/master/apps/communications/contacts/oauth2/js/oauth20.js#L122 [3] https://github.com/mozilla-b2g/gaia/blob/master/apps/communications/contacts/oauth2/js/parameters.js#L45 Le mercredi 13 mars 2013 10:32:50 UTC+1, Jordano Francisco (UK) a écrit : > Hi Arnaud, > > > > On 13/03/2013 00:46, "Arnaud Didry" <[email protected]> wrote: > > > > >In the case of packaged app, we can't restrict the diffusion to a > > >specific application because apps uri seems to be unique for each device. > > >Am I wrong ? I could add the app uuid alongside the redirect_uri param to > > >use it later in postMessage but it would still allows anyone to use my > > >API client id in a malicious webapp. > > > > > >Having a uri like app://{store_id}, or better, an app domain > > >(app://developer.com) would solve the problem. I didn't find any > > >reference to this feature in the roadmap or in bugzilla. Is this planned > > >? Am I missing something ? > > > > > >Beside this oauth problem, having a known uri would be great for a > > >developer to help him identify requests coming from his app by looking at > > >the referer. It would also remove the need to have a server in the > > >authentication flow (provided that the oauth provider allows the app:// > > >scheme in the redirect uri). > > > > The use of the postMessage trick is cause oauth service providers (like > > Gmail, Facebook, etc) don't recognise the protocol 'app://' as a valid > > redirection URL. So what we do is open in a new window and we point the > > redirection url to a host that we control. That host the only thing it > > does is get all the variables passed and send them via postMessage to the > > opener window. > > > > > > The result is having all the variables that the service provider sends in > > your packaged app. > > > > There is an example of that service in this open source project: > > > > https://github.com/arcturus/postmessageitor > > > > > > Cheers! > > F. > > > > > > This electronic message contains information from Telefonica UK, Telefonica > Europe or Telefonica Digital which may be privileged or confidential. The > information is intended to be for the use of the individual(s) or entity > named above. If you are not the intended recipient be aware that any > disclosure, copying distribution or use of the contents of this information > is prohibited. If you have received this electronic message in error, please > notify us by telephone or email. > > > > > > Switchboard: +44 (0)113 272 2000 > > Email: [email protected] > > > > Telefonica UK Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in > England and Wales: 1743099. VAT number: GB 778 6037 85 > > Telefonica Europe plc 260 Bath Road, Slough, Berkshire SL1 4DX Registered in > England and Wales: 05310128. VAT number: GB 778 6037 85 > > Telefonica Digital Limited 260 Bath Road, Slough, Berkshire SL1 4DX > Registered in England and Wales: 7884976. VAT number: GB 778 6037 85 _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
