Re: [whatwg] Fixed a security problem with postMessage()
Ian Hickson wrote: * message.domain isn't actually enough to verify any security, given that on shared hosts one IP address can map to several hostnames and thuspeople can end up running servers on different ports that respond torequests from domains they don't own. * message.uri can leak information, e.g. if the user's password is in the query component of the URI. Good catches on both; I agree these changes make sense. I've replaced both with .origin, which is intended to return the scheme://hostname/ or scheme://hostname:port/ (when the port is non-standard) of the origin of the source document. I assume you meant without the trailing slash, given that that's actually part of the path? This doesn't sound like it should be too hard to implement, although the manual splicing-out of the username/password from the origin is slightly worrying (if entirely necessary) from a careful-manipulation-is-tricky point of view. I don't see any other option, tho, on that point. Jeff
Re: [whatwg] Fixed a security problem with postMessage()
On Tue, 12 Feb 2008, Jeff Walden wrote: I assume you meant without the trailing slash, given that that's actually part of the path? Yes. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
[whatwg] Fixed a security problem with postMessage()
While going through the feedback for postMessage(), I noticed a couple of security problems that nobody had raised: * message.domain isn't actually enough to verify any security, given that on shared hosts one IP address can map to several hostnames and thus people can end up running servers on different ports that respond to requests from domains they don't own. * message.uri can leak information, e.g. if the user's password is in the query component of the URI. Basically, .domain is too little, and .uri is too much. I've replaced both with .origin, which is intended to return the scheme://hostname/ or scheme://hostname:port/ (when the port is non-standard) of the origin of the source document. It's still vague for data: URIs, etc; I have outstanding feedback on that matter and will address that when I respond to that feedback. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'