postMessage's targetOrigin should be hardened against compromised renderers |
||
Issue descriptionWe transfer |targetOrigin| parameter of postMessage into the target OOPIF (see RemoteDOMWindow::SchedulePostMessage and FrameMsg_PostMessage_Params::target_origin) and verify that the origins match (see how LocalDOMWindow::DispatchMessageEventWithOriginCheck is called from RenderFrameImpl::PostMessageEvent). This security check may be skipped if the receipient's renderer has been compromised by a malicious webpage. Therefore, we should enforce |targetOrigin| in the sender's renderer and/or in the browser process. We should also audit whether MessagePort and other messaging APIs need a similar enforcement (MessageChannel/MessagePort doesn't seem to have an explicit |targetOrigin|, but MessagePortProvider::PostMessageToFrame still ends up populating FrameMsg_PostMessage_Params::target_origin).
,
Jan 11
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a363a8795876763bd306c6569ec3f878e27e7621 commit a363a8795876763bd306c6569ec3f878e27e7621 Author: Lukasz Anforowicz <lukasza@chromium.org> Date: Fri Jan 11 21:39:00 2019 Verify |target_origin| received by RFPH::OnRouteMessageEvent. Bug: 918060 Change-Id: I7ca3963e34741cb4b9d0ebb6b5f7fe8e77160000 Reviewed-on: https://chromium-review.googlesource.com/c/1399566 Reviewed-by: Nasko Oskov <nasko@chromium.org> Commit-Queue: Ćukasz Anforowicz <lukasza@chromium.org> Cr-Commit-Position: refs/heads/master@{#622165} [modify] https://crrev.com/a363a8795876763bd306c6569ec3f878e27e7621/content/browser/frame_host/render_frame_proxy_host.cc
,
Jan 11
|
||
►
Sign in to add a comment |
||
Comment 1 by nasko@chromium.org
, Dec 28