14329 2011-09-28 18:23:05 +0000 Add a warning about high-volume traffic through MessagePort being a DOS risk for UAs and scripts 2011-10-25 00:01:24 +0000 1 1 1 Unclassified WebAppsWG Web Messaging (editor: Ian Hickson) unspecified Other other RESOLVED FIXED http://www.whatwg.org/specs/web-apps/current-work/#top P3 normal --- 1 contributor ian html5 ian mike public-webapps public-webapps-bugzilla oldest_to_newest 57483 0 contributor 2011-09-28 18:23:05 +0000 Specification: http://dev.w3.org/html5/postmsg/ Multipage: http://www.whatwg.org/C#top Complete: http://www.whatwg.org/c#top Comment: I believe the possible DoS attack "message flooding" should be addressed i.e. a rogue domain uses "postMessage" to crash an implementation, crash another window etc. Jean-Lou Dupont html5@jldupont.com Posted from: 173.178.98.120 User agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.21 Safari/535.2 57641 1 ian 2011-10-02 16:40:30 +0000 Why would it crash anything? I don't understand the attack vector here. Can you elaborate? 57676 2 html5 2011-10-03 00:03:21 +0000 E.g. domain "R" sending way too much messages to legitimate domain "D". Domain's "D" queue would fill up and the page might become unresponsive or legitimate messages would get dropped in queue because of overflow. Wouldn't those cases be probable? 57735 3 ian 2011-10-03 23:44:02 +0000 How would domain R get access to a port to send something to D in the first place? I can certainly add a note that mentions that user agents may wish to throttle the rate of message delivery so that it does not interfere with the user interface, and a note to authors saying that they should consider if the remote end is sending messages too fast and if so consider closing the port. Would that be sufficient? 57772 4 html5 2011-10-04 15:36:31 +0000 (In reply to comment #3) > How would domain R get access to a port to send something to D in the first > place? Maybe my usage of the word "rogue" was a bit off. > > I can certainly add a note that mentions that user agents may wish to throttle > the rate of message delivery so that it does not interfere with the user > interface, and a note to authors saying that they should consider if the remote > end is sending messages too fast and if so consider closing the port. Would > that be sufficient? Since queue parameters (i.e. depth, rate, policy strategy etc) don't seem to get standardize in W3, your proposal to add a cautionary note appears adequate. 58810 5 ian 2011-10-25 00:01:10 +0000 EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document: http://dev.w3.org/html5/decision-policy/decision-policy.html Status: Partially Accepted Change Description: see diff given below Rationale: I added some informative text about this to the window.postMessage() section. I didn't add anything to the MessagePort section since an attacker couldn't get a MessagePort from another domain unless the other domain explicitly sent one to the attacker. Let me know if you think I should add anything else. 58811 6 contributor 2011-10-25 00:01:24 +0000 Checked in as WHATWG revision r6743. Check-in comment: Mention some DOS risks with window.postMessage(). http://html5.org/tools/web-apps-tracker?from=6742&to=6743