On Fri, Apr 9, 2010 at 3:59 AM, Rymaï <[email protected]> wrote: > Hi, > I would like to use the HTML5 MessageEvent to allow my container and > my modules to send messages to each other. > Do you think it could be possible to allow the message events (as > other allowed events like click, mousemove etc. are allowed) , and > thus the window.postMessage method, without bringing security > problems, since you can control the origin domain (in my case I'll > allow only the same domain since my gadgets will be hosted on the same > domain as my container) ? > http://www.whatwg.org/specs/web-apps/current-work/multipage/comms.html
Hi Rymaï, this is a great idea, thanks. I've just reread the document at that URL and this interface looks straightforwardly tame-able. Especially MessagePort which is already very capability-like. (This is not by accident.) Starting with a same origin restriction is indeed a good idea. But once that works, I'm confident that we can extend this to allow cross origin messaging without violating object-capability principles. If you'd like to contribute a patch along these lines (see < http://code.google.com/p/google-caja/wiki/ContributingCode>), I'll happily review it. Thanks. > Thanks in advance, > Rémy Coutable Hey, thanks Mark, I don't know the Caja source code very well, so I'm afraid I'll not be able to patch it as soon as I would like But I tried to understand the source code (and I tried to hack it, compile it, and use it in my Shindig to see my changes, just for code understanding purpose, of course) and to see what should I modify/add. So, correct me if I'm wrong (and I'm pretty sure I'm wrong on some points) : 1. I have to add the "*::ONMESSAGE" in html4-attributes- whitelist.json 2. I have to add the "*::ONMESSAGE" in html4-attributes-defs.json 3. I have to tame the MessageEvent interface in domita.js (similar to the Event taming) 4. Do I have to tame MessagePort as well (because you said it's "already very capability-like") ? 5. I don't know how to access the real window element in domita.js (because MessageEvent listeners can only be attached to a window element), it seems that when I call "window.addEventListener('message', handler, false)", the handler is attached to a div element (the tameWindow.node___). Do you currently keep a backed copy of the real window element ? So, basically for now I only need the possibility to attach MessageEvent handler to the real window element (allowing the window to receive MessageEvent and thus allowing it to respond directly to the event source with the event.source attribute. Thanks for your precious answers, I think with this addition, Caja could be very powerful yet very secure! :) Rémy Coutable -- Subscription settings: http://groups.google.com/group/google-caja-discuss/subscribe?hl=en
