14900 – note about checking "origin" attribute of MessageEvent

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 14900 - note about checking "origin" attribute of MessageEvent

Summary: note about checking "origin" attribute of MessageEvent

Status:	RESOLVED NEEDSINFO

Alias:	None

Product:	WebAppsWG
Classification:	Unclassified
Component:	HISTORICAL - Server-Sent Events (editor: Ian Hickson) (show other bugs)
Version:	unspecified
Hardware:	PC Windows NT

Importance:	P2 normal
Target Milestone:	---
Assignee:	Ian 'Hixie' Hickson
QA Contact:	public-webapps-bugzilla

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-11-22 08:46 UTC by vic99999
Modified:	2012-07-25 03:02 UTC (History)
CC List:	3 users (show)

See Also:

Attachments

Description vic99999 2011-11-22 08:46:27 UTC

http://www.html5rocks.com/en/tutorials/eventsource/basics/#toc-security

"Authors should check the origin attribute to ensure that messages are only accepted from domains that they expect to receive messages from. Otherwise, bugs in the author's message handling code could be exploited by hostile sites."

That warning is especially relevant for window.postMessage() messages and not so much EventSource and WebSocket and this should be marked in the spec.

see http://krijnhoetmer.nl/irc-logs/whatwg/20111122#l-381

Comment 1 Ian 'Hixie' Hickson 2012-07-10 20:03:16 UTC

Upon further investigation, that paragraph is already deep within the window.postMessage() part of the spec, it's not generically near the MessageEvent object nor anywhere near the EventSource stuff. Not sure how to make this better.