[Webkit-unassigned] [Bug 238090] New: BroadcastChannel instances in distinct opaque origins can communicate
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Mar 18 12:49:09 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=238090
Bug ID: 238090
Summary: BroadcastChannel instances in distinct opaque origins
can communicate
Product: WebKit
Version: Safari Technology Preview
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: New Bugs
Assignee: webkit-unassigned at lists.webkit.org
Reporter: awillia at google.com
I wrote a test to determine whether BroadcastChannel instances in distinct opaque origins (tied to the same document) can communicate, and it looks like they can in Safari Tech Preview:
https://wpt.fyi/results/webmessaging/broadcastchannel/opaque-origin.html?label=experimental&label=master&aligned
BroadcastChannel messages should only be sent to instances that are same-origin, per the HTML standard.
I was curious whether this could be leveraged to bypass top-level site partitioning as well, but it doesn't appear to. I tested in the browser using the following code (run via the JS console) on two different sites, verifying that no console log messages appeared:
```
const iframe_src = (channel_name, msg) => `data:text/html,<script>
let bc2 = new BroadcastChannel("${channel_name}");
bc2.onmessage = (e) => {
console.log(e.data);
};
bc2.postMessage("${msg}");
</script>`;
let iframe2 = document.createElement("iframe");
iframe2.src = iframe_src('test', window.location.href);
document.body.appendChild(iframe2);
```
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220318/40c6b641/attachment.htm>
More information about the webkit-unassigned
mailing list