This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 14329 - Add a warning about high-volume traffic through MessagePort being a DOS risk for UAs and scripts
Summary: Add a warning about high-volume traffic through MessagePort being a DOS risk ...
Status: RESOLVED FIXED
Alias: None
Product: WebAppsWG
Classification: Unclassified
Component: Web Messaging (editor: Ian Hickson) (show other bugs)
Version: unspecified
Hardware: Other other
: P3 normal
Target Milestone: ---
Assignee: Ian 'Hixie' Hickson
QA Contact: public-webapps-bugzilla
URL: http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-09-28 18:23 UTC by contributor
Modified: 2011-10-25 00:01 UTC (History)
4 users (show)

See Also:

Attachments

Description contributor 2011-09-28 18:23:05 UTC 
Specification: http://dev.w3.org/html5/postmsg/
Multipage: http://www.whatwg.org/C#top
Complete: http://www.whatwg.org/c#top

Comment:
I believe the possible DoS attack "message flooding" should be addressed i.e.
a rogue domain uses "postMessage" to crash an implementation, crash another
window etc.

Jean-Lou Dupont
html5@jldupont.com

Posted from: 173.178.98.120
User agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.21 Safari/535.2
Comment 1 Ian 'Hixie' Hickson 2011-10-02 16:40:30 UTC 
Why would it crash anything? I don't understand the attack vector here. Can you elaborate?
Comment 2 Jean-Lou Dupont 2011-10-03 00:03:21 UTC 
E.g. domain "R" sending way too much messages to legitimate domain "D".  Domain's "D" queue would fill up and the page might become unresponsive or legitimate messages would get dropped in queue because of overflow.

Wouldn't those cases be probable?
Comment 3 Ian 'Hixie' Hickson 2011-10-03 23:44:02 UTC 
How would domain R get access to a port to send something to D in the first place?

I can certainly add a note that mentions that user agents may wish to throttle the rate of message delivery so that it does not interfere with the user interface, and a note to authors saying that they should consider if the remote end is sending messages too fast and if so consider closing the port. Would that be sufficient?
Comment 4 Jean-Lou Dupont 2011-10-04 15:36:31 UTC 
(In reply to comment #3)
> How would domain R get access to a port to send something to D in the first
> place?
Maybe my usage of the word "rogue" was a bit off.

> 
> I can certainly add a note that mentions that user agents may wish to throttle
> the rate of message delivery so that it does not interfere with the user
> interface, and a note to authors saying that they should consider if the remote
> end is sending messages too fast and if so consider closing the port. Would
> that be sufficient?

Since queue parameters (i.e. depth, rate, policy strategy etc) don't seem to get standardize in W3, your proposal to add a cautionary note appears adequate.
Comment 5 Ian 'Hixie' Hickson 2011-10-25 00:01:10 UTC 
EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Partially Accepted
Change Description: see diff given below
Rationale: I added some informative text about this to the window.postMessage() section. I didn't add anything to the MessagePort section since an attacker couldn't get a MessagePort from another domain unless the other domain explicitly sent one to the attacker. Let me know if you think I should add anything else.
Comment 6 contributor 2011-10-25 00:01:24 UTC 
Checked in as WHATWG revision r6743.
Check-in comment: Mention some DOS risks with window.postMessage().
http://html5.org/tools/web-apps-tracker?from=6742&to=6743