consider marking secure sites that receive messages from insecure sites as insecure |
||
Issue descriptionmaybe even if they have a message handler? Or just block postMessage from insecure to secure top-level? postMessage from insecure to secure appears to be pretty common: https://www.chromestatus.com/metrics/feature/timeline/popularity/420 however, when an insecure top-level wants to postMessage to a secure iframe, that's probably fine
,
Jan 23 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4d512b02d6169ea3e9949297b356204fdaa30a40 commit 4d512b02d6169ea3e9949297b356204fdaa30a40 Author: jochen <jochen@chromium.org> Date: Mon Jan 23 12:33:59 2017 Add a counter for postMessage from insecure to secure top-level frames BUG= 682211 R=mkwst@chromium.org Review-Url: https://codereview.chromium.org/2651593003 Cr-Commit-Position: refs/heads/master@{#445364} [modify] https://crrev.com/4d512b02d6169ea3e9949297b356204fdaa30a40/third_party/WebKit/Source/core/frame/DOMWindow.cpp [modify] https://crrev.com/4d512b02d6169ea3e9949297b356204fdaa30a40/third_party/WebKit/Source/core/frame/UseCounter.h [modify] https://crrev.com/4d512b02d6169ea3e9949297b356204fdaa30a40/tools/metrics/histograms/histograms.xml
,
Jan 10
Archiving P3s older than 1 year with no owner or component. |
||
►
Sign in to add a comment |
||
Comment 1 by jochen@chromium.org
, Jan 18 2017