rspec/rules/S2819/javascript/rule.adoc

Browsers https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage[allow message exchanges] between Window objects of different origins. 

Because any window can send / receive messages from other window it is important to verify the sender's / receiver's identity:

* When sending message with postMessage method, the identity's receiver should be defined (the wildcard keyword (``++*++``) should not be used).
* When receiving message with message event, the sender's identity should be verified using the origin and possibly source properties.


== Noncompliant Code Example

When sending message:

----
var iframe = document.getElementById("testiframe");
iframe.contentWindow.postMessage("secret", "*"); // Noncompliant: * is used
----
When receiving message:

----
window.addEventListener("message", function(event) { // Noncompliant: no checks are done on the origin property.
      console.log(event.data);
 }); 
----


== Compliant Solution

When sending message:

----
var iframe = document.getElementById("testsecureiframe");
iframe.contentWindow.postMessage("hello", "https://secure.example.com"); // Compliant
----
When receiving message:

----
window.addEventListener("message", function(event) {

  if (event.origin !== "http://example.org") // Compliant
    return;

  console.log(event.data)
}); 
----


== See

* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control
* https://www.owasp.org/index.php/Top_10_2010-A3-Broken_Authentication_and_Session_Management[OWASP Top 10 2017 Category A3] - Broken Authentication and Session Management
* https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage[developer.mozilla.org] - postMessage API


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`Browsers https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage[allow message exchanges] between Window objects of different origins.`

			`Because any window can send / receive messages from other window it is important to verify the sender's / receiver's identity:`

			* When sending message with postMessage method, the identity's receiver should be defined (the wildcard keyword (``++*++``) should not be used).
			`* When receiving message with message event, the sender's identity should be verified using the origin and possibly source properties.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Noncompliant Code Example`

			`When sending message:`

			`----`
			`var iframe = document.getElementById("testiframe");`
			`iframe.contentWindow.postMessage("secret", ""); // Noncompliant: is used`
			`----`
			`When receiving message:`

			`----`
			`window.addEventListener("message", function(event) { // Noncompliant: no checks are done on the origin property.`
			`console.log(event.data);`
			`});`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Compliant Solution`

			`When sending message:`

			`----`
			`var iframe = document.getElementById("testsecureiframe");`
			`iframe.contentWindow.postMessage("hello", "https://secure.example.com"); // Compliant`
			`----`
			`When receiving message:`

			`----`
			`window.addEventListener("message", function(event) {`

			`if (event.origin !== "http://example.org") // Compliant`
			`return;`

			`console.log(event.data)`
			`});`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== See`

RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00			`* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`* https://www.owasp.org/index.php/Top_10_2010-A3-Broken_Authentication_and_Session_Management[OWASP Top 10 2017 Category A3] - Broken Authentication and Session Management`
			`* https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage[developer.mozilla.org] - postMessage API`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00

Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`