On Sat, 14 Feb 2009, Jeff Walden wrote:
>
> The spec should mention that even after MessageEvent.origin's value has
> been checked, MessageEvent.data should also be checked for structural
> correctness, because if the target window contains an XSS hole, improper
> validation of incoming messages could result in the target window's XSS
> hole being propagated into the sender's window as well.
>
> For example, consider a site A which requests a particular string of
> JSON data from site B, which it then parses into an object using eval().
> If site B is subvertible, the response JSON string may instead be
> arbitrary script which would be executed by site A *as* site A's code.
> Proper validation by site A would mean checking that the sent string
> actually is JSON and not arbitrary syntactically-correct JavaScript.
>
> (Ignore the fact that the site shouldn't be unserializing JSON data
> using eval(), and further ignore that structured data-passing makes this
> particular use obsolescent. Other instances of contamination may be
> possible depending on the sent data and its structure, and this was just
> the simplest example to explain.)
Done.
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
