The Postman Always Rings Twice:Attacking and Defending

postMessage in HTML5WebsitesSooel Son and Vitaly ShmatikovThe University of Texas at Austin

20th NDSS Symposium(February 2013)

A Seminar at Advanced Defense Lab 2

IntroductionO Web browsers isolate content by on its origin.

O same origin policy

O Popular sites often include third-party content.O advertisementsO buttons for social recommendationsO …

O They need to communicate with each other.

2013/3/25

A Seminar at Advanced Defense Lab 3

HTML5O HTML5 includes the postMessage

facility that enables a script to send a message to a window regardless of their respective origins. [link]

2013/3/25

A Seminar at Advanced Defense Lab 4

postMessageO Sender (may be invoked by third-

party script)O window.postMessage(message, targetOrigin [, transfer ])

O Browser use targetOrigin to verify window

2013/3/25

A Seminar at Advanced Defense Lab 5

Message EventO The event listener may be registered

by third-party scriptO Some message event object members

O dataO origin

O The sender’s originO source

O It represents the WindowProxy of the browsing context of the Window object from which the message came

2013/3/25

A Seminar at Advanced Defense Lab 6

Two Problems about postMessage

O Senders need to specify targetOriginO Barth et al. USENIX Security 2008

O Recievers need to verify event.originO This paper

2013/3/25