13588 – [web messaging] Erroneous origin check in algorithm

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 13588 - [web messaging] Erroneous origin check in algorithm

Summary: [web messaging] Erroneous origin check in algorithm

Status:	RESOLVED INVALID

Alias:	None

Product:	WebAppsWG
Classification:	Unclassified
Component:	Web Messaging (editor: Ian Hickson) (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	P3 normal
Target Milestone:	---
Assignee:	Ian 'Hixie' Hickson
QA Contact:	public-webapps-bugzilla

URL:	http://www.w3.org/mid/1312266627.1309...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-08-03 05:54 UTC by HTML WG bugbot
Modified:	2011-10-20 09:06 UTC (History)
CC List:	8 users (show)

See Also:

Attachments

Description HTML WG bugbot 2011-08-03 05:54:15 UTC

public-html-comments posting from: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
http://www.w3.org/mid/1312266627.13091.4.camel@papyrus

The following comment contains detailed information about an issue that
was discovered during a recent security analysis of 13 next generation
web standards, organized by ENISA (European Network and Information
Security Agency), and performed by the DistriNet Research Group (K.U.
Leuven, Belgium).

The complete report is available at http://www.enisa.europa.eu/html5
(*), and contains information about the process, the discovered
vulnerabilities and recommendations towards improving overall security
in the studied specifications.

 Summary 
---------

The specification uses the origin of the script's document for checks,
except in step 9 of the algorithm to post a message.

Based on: HTML5 Web Messaging, 7 July 2011
Relevant Sections: 4.3. Posting Messages

 Issue
-------

Throughout the specification, the origin of the script's document is
used. In section 4.3, step 9 of the algorithm, the origin attribute is
set to the "origin of the script that invoked the method". This should
probably be the "origin of the document of the script that ...", to
handle cases of domain relaxation (using document.domain). This is also
how it is currently implemented (tested in Firefox and Chrome)


 Recommended Solution
----------------------

Update step 9 of the specification to the following (addition marked by
--> <--): 

Create an event that uses the MessageEvent interface, with the event
name message, which does not bubble, is not cancelable, and has no
default action. The data attribute must be set to the value of message
clone, the origin attribute must be set to the Unicode serialization of
the origin of --> document containing <-- the script that invoked the
method, the source attribute must be set to the script's global object's
WindowProxy object, and the ports attribute must be set to the new ports
array.



(*) HTML version of the report is available as well:
https://distrinet.cs.kuleuven.be/projects/HTML5-security/

-- 
Philippe De Ryck
K.U.Leuven, Dept. of Computer Science


Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

Comment 1 Arthur Barstow 2011-08-03 12:27:12 UTC

Before this bug was filed, there was some related discussion on public-webapps list:

  http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/0559.html

Comment 2 Simon Pieters 2011-08-05 12:53:09 UTC

Unless I've misunderstood this bug, "origin of a script" is actually "origin of the document of the script", if the script is contained in a document. See http://www.whatwg.org/specs/web-apps/current-work/complete/origin-0.html#origin-0 "For scripts".

Comment 3 Ian 'Hixie' Hickson 2011-08-08 21:47:02 UTC

Marking INVALID per http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/0560.html