postMessage()’s targetOrigin and security

Right after the Opera breaks eBay because we're too secure issue, another problem where we're being stricter than other browsers appeared on my radar. This time it's HTML5's new postMessage() method. The second argument to this method lets you specify what site you want messages to be sent to, so if you do

win.postMessage('test', 'http://www.example.com/')

the web browser should make sure no other site than http://www.example.com can receive the message.

The problem is that all other browsers allow something like

win.postMessage('test', 'http://www.example.com/foo/bar')

while Opera follows the current text of the HTML5 spec and throws an exception if there is a path, query string or fragment in the second argument. Some features Facebook embeds in other websites fail in Opera due to Facebook composing the "origin" string they pass to postMessage() this way:

FB.XD._origin=(window.location.protocol+'//'+window.location.host+'/'+FB.guid());

(source) and the string returned by FB.guid() causes an exception in Opera when Facebook tries posting messages.

Had I written this blog post last week, I would have pointed fingers at Gecko and WebKit for not being able to implement even new specs correctly. However, luckily I first posted about the issue on the WHATWG list, and the subsequent discussion clarified that this exception was added to the spec after the implementations were written (at least in Mozilla's case). So who is to blame?

  • The HTML5 editor and working group for keep changing features that are already implemented, shipped, and in use on the web?
  • Facebook for coding according to implementations rather than to the spec?
  • Mozilla and WebKit for not tracking the spec's changes and updating their implementations as soon as possible (it's been two years since this requirement was added to the spec, after all)?

I don't know, and looking for someone to blame is a waste of time anyway. We'll change Opera to match the others, and I've used the WHATWG spec's review feature to report a spec bug. While he's at it, the editor should also remove the '/' shortcut for "current origin" I guess.

Advertisements

24 thoughts on “postMessage()’s targetOrigin and security

  1. Did I kick off the whole discussion with DSK-302997?! Oops…I think everybody of the named groups are to blame. And for exactly the reasons you mentioned. If only one of them (facebook speaking for every website/webdeveloper) would have done their job like they should, such problems would not appear. And when all of them would share their expense, then it would not even be worth to talk about.Its like with everything else 🙂

  2. Who is to blame??? Everyone you cited.You'll change Opera to the old spec too…! :eek:So it should really be causing errors for lots of people huh.

  3. while Opera follows the current text of the HTML5 spec

    Has the spec been fixed?When I read Step 1, it looks like it's saying that the string must be "*" or "/" or an absolute URI/IRI with a non-empty authority (host + optional port, which Ian calls 'host-specific', which that term is undefined in the spec and the IRI rfc) followed by the end of the string or "/". But, "to me", it's NOT saying anything (whether for or against) about what comes after the "/", which to me says that a path etc. IS allowed.The only reason I would believe that the path, query and fragment parts are forbidden is http://html5.org/tools/web-apps-tracker?from=2353&to=2354Even if my interpretation is way off, that's all the more reason for Ian to clarify it.I also think Firefox's *handling* is more robust, although I don't feel strongly either way.

  4. Originally posted by ouzoWTF:

    Did I kick off the whole discussion with DSK-302997?! Oops…

    You did indeed 🙂 Only days after looking at your bug I noticed the same problem in Facebook's script – thanks to your report I knew what it was all about :).Originally posted by burnout426:

    Has the spec been fixed?

    Not yet, but this stuff is hard to read because it is very "work-in-progressy". The 'host-specific' term that is not defined in the spec or the old RFC is intended to be defined in a new RFC or spec I believe – I was sent to a draft of one when asking about these terms in the IRC channel. So it seems Opera's interpretation is indeed what the spec as-is intends.

  5. IMO, the followingOriginally posted by hallvors:

    Mozilla and WebKit for not tracking the spec's changes and updating their implementations as soon as possible (it's been two years since this requirement was added to the spec, after all)?

    Someone always gets shot on the feet when bleeding edge features are implemented, and almost either by magic or circumstances, it's always the smaller browsers.

  6. At least now is a good time to talk w/ Mozilla and Google and the Webkit teamTho Facebook fails web validation for the home page after log in very badly: "Errors found while checking this document as XHTML 1.0 Strict!Result: 9998 Errors, 1880 warning(s)" (validate local)In the Facebook Opera group I keep seeing the question about facebook & Opera, I hope this helps in solving some of the issues

  7. Originally posted by xErath:

    by magic or circumstances, it's always the smaller browsers

    Some weird and anti-competitive magic at work there :-p

  8. I'm a little mystified. If the intent was to limit to domains, why is the parameter a URI instead of a host-name?

  9. Because protocol and even the optional port are also considered when you calculate the origin of a document or script.

  10. Originally posted by hallvors:

    Originally posted by burnout426:

    Has the spec been fixed?

    Not yet, but this stuff is hard to read because it is very "work-in-progressy". The 'host-specific' term that is not defined in the spec or the old RFC is intended to be defined in a new RFC or spec I believe – I was sent to a draft of one when asking about these terms in the IRC channel. So it seems Opera's interpretation is indeed what the spec as-is intends.

    O.K. I'm on the IRI and URI lists. I should have thought about the latest drafts. (would have been nice for that section to reference the latest draft)

  11. Sigh.. Hotmail is at it too:

    JavaScript - http://secure.shared.live.com/_D/F$Live.SiteContent.Messenger/4.0.54184/Messenger.html
    
    Uncaught exception: [object DOMException]
    Error thrown at line 62, column 209 in <anonymous function: $22>($p0):
        this.$7.postMessage($p0,this.$8);
    called from line 62, column 35 in <anonymous function: $21>():
        this.$22('@ConnectReq');
  12. For which (final) build of Opera is the core "fix" (because it was never really a bug) planned?I feel I should have filed this bug earlier 😦

  13. Originally posted by rafaelluik:

    it has to be done ASAP!

    Give it some time it will be fixed this is not the only site that they are dealing with

  14. Originally posted by ouzoWTF:

    For which (final) build of Opera is the core "fix" (because it was never really a bug) planned?

    I hope to get it into 10.70.

  15. Originally posted by rafaelluik:

    This is enough of examples of websites broken by this "issue", it has to be done ASAP!

    Yeah, because rushing things was always a great idea :troll:How about letting the Opera guys handle this? They know what they are doing, unlike most other people (such as random people in a blog).

  16. Originally posted by prd3:

    How about letting the Opera guys handle this?

    Okay, I'll let they keep Opera at 2%. 😉

  17. Originally posted by rafaelluik:

    Okay, I'll let they keep Opera at 2%.

    2%? Opera has 5-10% in Europe, and up to 50% in countries like Russia, Ukraine, etc. You clearly FAIL.

  18. Well, I just think Opera should be more used in the whole world, and specially USA where most pages are developed for or development tutorials come from (in English).

  19. Originally posted by rafaelluik:

    Well, I just think Opera should be more used in the whole world, and specially USA where most pages are developed for or development tutorials come from (in English).

    It's getting more users all the time, but you can't expect miracles. Unlike Firefox, Chrome and other browsers, Opera doesn't have a monopoly backing them that can be used to force their browser down people's throats.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s