miscoded

the web is a hack

postMessage()'s targetOrigin and security

Tuesday, July 20, 2010 7:44:49 PM

,

Right after the Opera breaks eBay because we're too secure issue, another problem where we're being stricter than other browsers appeared on my radar. This time it's HTML5's new postMessage() method. The second argument to this method lets you specify what site you want messages to be sent to, so if you do 

win.postMessage('test', 'http://www.example.com/')


the web browser should make sure no other site than www.example.com can receive the message.

The problem is that all other browsers allow something like 
win.postMessage('test', 'http://www.example.com/foo/bar')

while Opera follows the current text of the HTML5 spec and throws an exception if there is a path, query string or fragment in the second argument. Some features Facebook embeds in other websites fail in Opera due to Facebook composing the "origin" string they pass to postMessage() this way:

FB.XD._origin=(window.location.protocol+'//'+window.location.host+'/'+FB.guid());
(source) and the string returned by FB.guid() causes an exception in Opera when Facebook tries posting messages.

Had I written this blog post last week, I would have pointed fingers at Gecko and WebKit for not being able to implement even new specs correctly. However, luckily I first posted about the issue on the WHATWG list, and the subsequent discussion clarified that this exception was added to the spec after the implementations were written (at least in Mozilla's case). So who is to blame?
  • The HTML5 editor and working group for keep changing features that are already implemented, shipped, and in use on the web?
  • Facebook for coding according to implementations rather than to the spec?
  • Mozilla and WebKit for not tracking the spec's changes and updating their implementations as soon as possible (it's been two years since this requirement was added to the spec, after all)?


I don't know, and looking for someone to blame is a waste of time anyway. We'll change Opera to match the others, and I've used the WHATWG spec's review feature to report a spec bug. While he's at it, the editor should also remove the '/' shortcut for "current origin" I guess.

eBay versus security policy consistencyAmazon's surgical server-side sniffing

Comments

Rafael Luikrafaelluik Wednesday, July 21, 2010 8:29:40 AM

Who is to blame??? Everyone you cited.
You'll change Opera to the old spec too...! eek
So it should really be causing errors for lots of people huh.

ouzowtfouzoWTF Wednesday, July 21, 2010 8:37:04 AM

Did I kick off the whole discussion with DSK-302997?! Oops...

I think everybody of the named groups are to blame. And for exactly the reasons you mentioned. If only one of them (facebook speaking for every website/webdeveloper) would have done their job like they should, such problems would not appear. And when all of them would share their expense, then it would not even be worth to talk about.
Its like with everything else smile

Michael A. Puls IIburnout426 Wednesday, July 21, 2010 9:29:15 AM

while Opera follows the current text of the HTML5 spec



Has the spec been fixed?

When I read Step 1, it looks like it's saying that the string must be "*" or "/" or an absolute URI/IRI with a non-empty authority (host + optional port, which Ian calls 'host-specific', which that term is undefined in the spec and the IRI rfc) followed by the end of the string or "/". But, "to me", it's NOT saying anything (whether for or against) about what comes after the "/", which to me says that a path etc. IS allowed.

The only reason I would believe that the path, query and fragment parts are forbidden is http://html5.org/tools/web-apps-tracker?from=2353&to=2354

Even if my interpretation is way off, that's all the more reason for Ian to clarify it.

I also think Firefox's *handling* is more robust, although I don't feel strongly either way.

Hallvord R. M. Steenhallvors Wednesday, July 21, 2010 11:32:34 AM

Originally posted by ouzoWTF:

Did I kick off the whole discussion with DSK-302997?! Oops...



You did indeed smile Only days after looking at your bug I noticed the same problem in Facebook's script - thanks to your report I knew what it was all about smile.

Originally posted by burnout426:

Has the spec been fixed?



Not yet, but this stuff is hard to read because it is very "work-in-progressy". The 'host-specific' term that is not defined in the spec or the old RFC is intended to be defined in a new RFC or spec I believe - I was sent to a draft of one when asking about these terms in the IRC channel. So it seems Opera's interpretation is indeed what the spec as-is intends.

João EirasxErath Wednesday, July 21, 2010 1:03:35 PM

IMO, the following

Originally posted by hallvors:

Mozilla and WebKit for not tracking the spec's changes and updating their implementations as soon as possible (it's been two years since this requirement was added to the spec, after all)?


Someone always gets shot on the feet when bleeding edge features are implemented, and almost either by magic or circumstances, it's always the smaller browsers.

Charles SchlossChas4 Wednesday, July 21, 2010 7:41:59 PM

At least now is a good time to talk w/ Mozilla and Google and the Webkit team

Tho Facebook fails web validation for the home page after log in very badly:

"Errors found while checking this document as XHTML 1.0 Strict!
Result: 9998 Errors, 1880 warning(s)" (validate local)


In the Facebook Opera group I keep seeing the question about facebook & Opera, I hope this helps in solving some of the issues

Hallvord R. M. Steenhallvors Wednesday, July 21, 2010 9:18:48 PM

Originally posted by xErath:

by magic or circumstances, it's always the smaller browsers



Some weird and anti-competitive magic at work there :-p

J. KingMTKnight Wednesday, July 21, 2010 11:02:19 PM

I'm a little mystified. If the intent was to limit to domains, why is the parameter a URI instead of a host-name?

Hallvord R. M. Steenhallvors Thursday, July 22, 2010 12:32:49 AM

Because protocol and even the optional port are also considered when you calculate the origin of a document or script.

Michael A. Puls IIburnout426 Thursday, July 22, 2010 3:15:36 AM

Originally posted by hallvors:

Originally posted by burnout426:

Has the spec been fixed?

Not yet, but this stuff is hard to read because it is very "work-in-progressy". The 'host-specific' term that is not defined in the spec or the old RFC is intended to be defined in a new RFC or spec I believe - I was sent to a draft of one when asking about these terms in the IRC channel. So it seems Opera's interpretation is indeed what the spec as-is intends.

O.K. I'm on the IRI and URI lists. I should have thought about the latest drafts. (would have been nice for that section to reference the latest draft)

Michael A. Puls IIburnout426 Thursday, July 22, 2010 5:06:21 AM

Ah, it's at http://tools.ietf.org/html/draft-ietf-iri-3987bis-00#section-3.2 and labeled as "HOSTSPECIFIC" (not host-specific like in the HTML5 spec).

the substring that follows the substring matched by the iauthority production, or the whole string if the iauthority production wasn't matched.

Hallvord R. M. Steenhallvors Thursday, August 5, 2010 2:54:39 AM

Sigh.. Hotmail is at it too:

JavaScript - http://secure.shared.live.com/_D/F$Live.SiteContent.Messenger/4.0.54184/Messenger.html

Uncaught exception: [object DOMException]
Error thrown at line 62, column 209 in <anonymous function: $22>($p0):
    this.$7.postMessage($p0,this.$8);
called from line 62, column 35 in <anonymous function: $21>():
    this.$22('@ConnectReq');

Charles SchlossChas4 Thursday, August 5, 2010 3:02:14 AM

So is that why it web messenger breaks in Opera?

Safari seem to load it after 3 tries and 7 minutes of waiting

ouzowtfouzoWTF Thursday, August 5, 2010 7:02:52 AM

For which (final) build of Opera is the core "fix" (because it was never really a bug) planned?

I feel I should have filed this bug earlier sad

Rafael Luikrafaelluik Thursday, August 5, 2010 5:55:26 PM

This is enough of examples of websites broken by this "issue", it has to be done ASAP!

Charles SchlossChas4 Thursday, August 5, 2010 6:27:54 PM

Originally posted by rafaelluik:

it has to be done ASAP!


Give it some time it will be fixed this is not the only site that they are dealing with

Hallvord R. M. Steenhallvors Friday, August 6, 2010 10:41:42 AM

Originally posted by ouzoWTF:

For which (final) build of Opera is the core "fix" (because it was never really a bug) planned?



I hope to get it into 10.70.

prd3 Monday, August 9, 2010 9:35:30 AM

Originally posted by rafaelluik:

This is enough of examples of websites broken by this "issue", it has to be done ASAP!


Yeah, because rushing things was always a great idea troll

How about letting the Opera guys handle this? They know what they are doing, unlike most other people (such as random people in a blog).

Rafael Luikrafaelluik Monday, August 9, 2010 5:52:27 PM

Originally posted by prd3:

How about letting the Opera guys handle this?

Okay, I'll let they keep Opera at 2%. wink

prd3 Tuesday, August 10, 2010 9:50:31 AM

Originally posted by rafaelluik:

Okay, I'll let they keep Opera at 2%.


2%? Opera has 5-10% in Europe, and up to 50% in countries like Russia, Ukraine, etc. You clearly FAIL.

Rafael Luikrafaelluik Tuesday, August 10, 2010 6:53:34 PM

Well, I just think Opera should be more used in the whole world, and specially USA where most pages are developed for or development tutorials come from (in English).

Unregistered user Wednesday, August 11, 2010 1:12:32 AM

Hixie writes: The spec has changed.

prd3 Wednesday, August 11, 2010 10:21:23 AM

Originally posted by rafaelluik:

Well, I just think Opera should be more used in the whole world, and specially USA where most pages are developed for or development tutorials come from (in English).


It's getting more users all the time, but you can't expect miracles. Unlike Firefox, Chrome and other browsers, Opera doesn't have a monopoly backing them that can be used to force their browser down people's throats.

Rafael Luikrafaelluik Wednesday, August 11, 2010 5:47:25 PM

Heheh, yeah I know that history. :/
Let's hope the number of users keep growing, it'll be better for everyone. smile

Write a comment

New comments have been disabled for this post.