The OP iframe MUST enforce that the caller has the same origin as its parent frame. It MUST reject postMessage requests from any other source origin.
I understand the intention here but would like to raise a few questions/issues.
- cross-domain parent origin is not accessible, accessing
window.parent.originraises a DOMException and other means of reading the url are unreliable and inconsistent at best (accessing
document.referrerand building the origin url out of it).
- the parent frame (tab) is not actually the source of the message, this would be the RP frame, same origin tho
which might very well sit on a different subdomain, resulting in another origin.
I can see the example in the specification is not handling this either.
Steps to reproduce:
- Login with any username/password at RP https://tranquil-reef-95185.herokuapp.com, set to login with OP https://guarded-cliffs-8635.herokuapp.com
- Open console, switch to
- Attempt to get parent origin via js to have are reference to compare message origin with
If anything this assertion of message origin should be mentioned in the RP frame, where the RP frame must assert the origin of the message is the OP frame origin, this origin can be easily formed by knowing the OP Frame location and can compare it to the message origin. The example rpFrame in the specification already does this.