On Feb 7, 2008, at 2:27 AM, Hallvord R M Steen wrote:
The source attribute of the message event does not leak any
privileges
to the recipient in Internet Explorer, Firefox, and Safari because
these browsers do not make this assumption and instead check whether
the script is permitted to navigate the frame when the script assigns
window.location.
Adam, I don't quite follow you here because I don't know any IE or
Safari implementation of window.postMessage. I'm quite sure IE doesn't
implement it, I tried googling for Safari and
postMessage/cross-document messaging but didn't find anything. As far
as I know only Firefox 3 betas and Opera supports this, so no other
implementations can be tested.
The current development version of WebKit includes support for cross-
document messaging. I don't think any publicly available version of IE
has it. However I think Adam was speaking in the general sense here,
that getting a window object reference that you couldn't otherwise
would not leak navigation capability in the named browsers regardless
of how you get it.
Other browsers do not equate having a JavaScript pointer to a frame
with the ability to navigate that frame.
Again if you can back that up with test cases I'd love to see them :-)
I don't have a test case handy for this but I can assure you Safari/
WebKit only allows navigating other frames in the following cases:
// The navigation change is safe if the active frame is:
// - in the same security origin as the target or one of the
target's ancestors
// Or the target frame is:
// - a top-level frame in the frame hierarchy
This test is applied at the time window.location is assigned. If these
conditions are not met, assigning the location property of another
frame/window has no effect.
You can probably figure out how to make a test case based on this.
Regards,
Maciej
