[Webkit-unassigned] [Bug 186593] User gesture context is not passed via MessageChannel
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jun 14 09:25:59 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=186593
--- Comment #3 from Brady Eidson <beidson at apple.com> ---
(In reply to Dima Voytenko from comment #2)
> If there are no other reasons, it'd be great if it did. IMHO MessageChannel,
> while essentially the same, is an improvement over plain window messaging: I
> see a lot fewer security bugs with code relying on it.
I'm not sure why you say there's fewer security bugs with message channels vs. postMessage
MessageChannels can cross browsing contexts in newly radical ways (e.g. web page -> service worker context), making the bug surface significantly larger.
The fallout from "blessing" them with the user gesture flag should be carefully considered.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180614/f9722d6f/attachment.html>
More information about the webkit-unassigned
mailing list