[wp-trac] [WordPress Trac] #34831: WP oEmbed: Validate the "Secret" When Used in `document.querySelectorAll()`
WordPress Trac
noreply at wordpress.org
Thu Dec 3 18:49:36 UTC 2015
#34831: WP oEmbed: Validate the "Secret" When Used in `document.querySelectorAll()`
--------------------------+-------------------------
Reporter: mdawaffe | Owner: mdawaffe
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 4.4
Component: Embeds | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch | Focuses: javascript
--------------------------+-------------------------
Changes (by mdawaffe):
* keywords: has-patch commit => has-patch
Comment:
Another piece of hardening: We can't do the normal `postMessage()`
`origin` checks (sandboxed iframes have sandboxed origins), but we can
ensure that the message event's `source` (a window object) is the same as
the iframe's window.
This protects against some potential, weird information disclosure bug
with the secret. That is, with this extra check, the secret does not need
to be private; it just becomes a unique ID.
Combined patch attached: attachment:34831.3.diff.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/34831#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list