|
|
| Line 113: |
Line 113: |
| ==== Post Messages ==== | | ==== Post Messages ==== |
|
| |
|
| | | The contacts app does not use <code>postMessage()</code> |
| ISSUE: None of the handlers verify that the message originated from a trusted/expected source.
| |
| | |
| I was able to exploit this and let remote content post messages to the Dialer to trigger Missed Calls notifications to appear.
| |
| | |
| ACTION: Add strict checking of event sources as described on MDN at https://developer.mozilla.org/en-US/docs/DOM/window.postMessage#Security_concerns
| |
| | |
| * {{bug|845487}} Dialer responds to cross-origin messages without verifying the source (exploitable)
| |
|
| |
|
| ====Web Activity Usage ==== | | ====Web Activity Usage ==== |