On Jan 30, 2008, at 6:00 PM, Jeff Walden wrote:
I briefly wrote up some documentation on postMessage for the Mozilla
Developer Center:
http://developer.mozilla.org/en/docs/DOM:window.postMessage
If you pull it up, you'll note two places where I include big, huge,
overbearing, somewhat-exaggerating injunctions about first checking
the domain/uri/source properties of the received message before
trusting the sent data.
Writing those got me thinking: what if we could "enforce" not
touching the data before verifying the sender's identity?
Specifically, what if we required that either .domain or .uri be
read prior to allowing .data to be successfully accessed, say,
without throwing a security error? (No reason comes to mind
for .source to participate in this scheme, either to throw or to
allow access to .data, but I haven't given it serious thought.)
This would prevent unknowing misuse of this functionality, and safe
uses wouldn't be affected. I think this would only apply to the
event dispatched by postMessage, not to MessageEvent, as the latter
is same-origin and there's no harm to a same-origin MessageEvent.
Thoughts? A no-harm slight increase of the ability to prevent
incorrect use of postMessage, or excessive nannying?
The more convenient version of that would be to require clients to
describe allowed senders when registering for the event in some way.
That would seem more like a convenience and less like a hoop to jump
through.
Regards,
Maciej