Re: [jira] Resolved: (SHINDIG-416) Implement window.opener-based IE transport ("NIX") in gadgets.rpc

Tue, 21 Oct 2008 14:15:39 -0700 

Does this support include any mechanism to verify the domain of the parent page?

Some gadgets rely on cookies to authenticate users and then pass
information to the parent page.  That's only safe if they can figure
out the domain of the parent page.

window.postMessage and IFPC both provide that protection.

On Tue, Oct 21, 2008 at 2:10 PM, John Hjelmstad (JIRA) <[EMAIL PROTECTED]> 
wrote:
>
>     [ 
> https://issues.apache.org/jira/browse/SHINDIG-416?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
>  ]
>
> John Hjelmstad resolved SHINDIG-416.
> ------------------------------------
>
>    Resolution: Fixed
>
> Committed r706769.
>
>> Implement window.opener-based IE transport ("NIX") in gadgets.rpc
>> -----------------------------------------------------------------
>>
>>                 Key: SHINDIG-416
>>                 URL: https://issues.apache.org/jira/browse/SHINDIG-416
>>             Project: Shindig
>>          Issue Type: Improvement
>>          Components: Features (Javascript)
>>            Reporter: John Hjelmstad
>>            Assignee: John Hjelmstad
>>         Attachments: rpc.js.patch
>>
>>
>> Joey Schorr and I have been developing a technique for high-speed 
>> cross-domain message passing in IE6 and IE7 that exploits an odd property: 
>> for a given window object, window.opener can be set by any party, but only 
>> read by the controlling window.
>> The message-passing technique is to pass a "channel creation" object from 
>> the container, across domain boundaries, to the gadget. The gadget uses this 
>> object to establish a bi-directional communication channel used by all 
>> subsequent gadgets.rpc calls.
>> We can't pass a JavaScript object through window.opener, however, because 
>> doing so enables access to the passing agent's full window context. Eg. if 
>> the container sets window.opener = function() { ... }, then the gadget can 
>> access the entire container page with:
>> var containerWindow = (new window.opener.constructor("return window;"))();
>> Instead, we pass a VBScript (COM) wrapper through window.opener, since COM 
>> objects don't have this property. The gadget passes back such a wrapper as 
>> well, ensuring mutually isolated contexts.
>> Patch forthcoming.
>
> --
> This message is automatically generated by JIRA.
> -
> You can reply to this email to add a comment to the issue online.
>
>

Reply via email to