Reviewers: shindig.remailer, beaton, Description: Some type=url gadgets may retrieve sensitive data via cookie, and potentially communicate that data to their container by way of gadgets.rpc.
In this case, such gadgets need to verify their parent to avoid this data being stolen by a malicious website. The attached patch forces use of a "verifiable parent" message transport - currently, only IFPC fits this description, as a transport whose relayUrl can be trusted for its host information, when the message is sent correctly at all. Please review this at http://codereview.appspot.com/28115 Affected files: src/main/javascript/features/rpc/rpc.js Index: src/main/javascript/features/rpc/rpc.js =================================================================== --- src/main/javascript/features/rpc/rpc.js (revision 758850) +++ src/main/javascript/features/rpc/rpc.js (working copy) @@ -783,6 +783,17 @@ }, /** + * Forces all subsequent calls to be made by a transport + * method that allows the caller to verify the message receiver + * (by way of the parent parameter, through getRelayUrl(...)). + * At present this means IFPC only, since WPM/DPM targetOrigin + * is not yet validated. + */ + forceParentVerifiable: function() { + relayChannel = 'ifpc'; + }, + + /** * Calls an RPC service. * @param {String} targetId Module Id of the RPC service provider. * Empty if calling the parent container.
