[Openid-specs-ab] Issue #1022: Session Management OP Frame message origin assertion (openid/connect)

Filip Skokan issues-reply at bitbucket.org
Mon Feb 26 06:46:40 UTC 2018

New issue 1022: Session Management OP Frame message origin assertion

Filip Skokan:

>From [OpenID Connect Session Management 1.0 - draft 28#4.2. OP iframe](https://openid.net/specs/openid-connect-session-1_0.html#OPiframe)

> The OP iframe MUST enforce that the caller has the same origin as its parent frame. It MUST reject postMessage requests from any other source origin.

I understand the intention here but would like to raise a few questions/issues.

1. cross-domain parent origin is not accessible, accessing `window.parent.location.origin` or `window.parent.origin` raises a DOMException and other means of reading the url are unreliable and inconsistent at best (accessing `document.referrer` and building the origin url out of it).
1. the parent frame (tab) is not actually the origin of the message, this would be the RP frame which might very well sit on a different subdomain, resulting in another origin.

I can see the example in the specification is not handling this either.

Steps to reproduce:

1. Login with any username/password at RP https://tranquil-reef-95185.herokuapp.com, set to login with OP https://guarded-cliffs-8635.herokuapp.com
1. Open console, switch to `opframe` js context
1. Attempt to get parent origin via js to have are reference to compare message origin with

More information about the Openid-specs-ab mailing list