2023-05-03 11:06:20 +02:00
|
|
|
== Why is this an issue?
|
|
|
|
|
|
2021-04-28 16:49:39 +02:00
|
|
|
Browsers https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage[allow message exchanges] between Window objects of different origins.
|
|
|
|
|
|
2022-01-17 17:58:25 +01:00
|
|
|
Because any window can send or receive messages from another window, it is important to verify the sender's/receiver's identity:
|
2021-04-28 16:49:39 +02:00
|
|
|
|
2022-01-17 17:58:25 +01:00
|
|
|
* When sending a message with the postMessage method, the identity's receiver should be defined (the wildcard keyword (``++*++``) should not be used).
|
|
|
|
|
* When receiving a message with a message event, the sender's identity should be verified using the origin and possibly source properties.
|
2021-04-28 16:49:39 +02:00
|
|
|
|
2021-04-28 18:08:03 +02:00
|
|
|
|
2023-05-03 11:06:20 +02:00
|
|
|
=== Noncompliant code example
|
2021-04-28 16:49:39 +02:00
|
|
|
|
2022-01-17 17:58:25 +01:00
|
|
|
When sending a message:
|
2021-04-28 16:49:39 +02:00
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,javascript]
|
2021-04-28 16:49:39 +02:00
|
|
|
----
|
|
|
|
|
var iframe = document.getElementById("testiframe");
|
|
|
|
|
iframe.contentWindow.postMessage("secret", "*"); // Noncompliant: * is used
|
|
|
|
|
----
|
2022-01-17 17:58:25 +01:00
|
|
|
When receiving a message:
|
2021-04-28 16:49:39 +02:00
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,javascript]
|
2021-04-28 16:49:39 +02:00
|
|
|
----
|
|
|
|
|
window.addEventListener("message", function(event) { // Noncompliant: no checks are done on the origin property.
|
|
|
|
|
console.log(event.data);
|
|
|
|
|
});
|
|
|
|
|
----
|
|
|
|
|
|
2021-04-28 18:08:03 +02:00
|
|
|
|
2023-05-03 11:06:20 +02:00
|
|
|
=== Compliant solution
|
2021-04-28 16:49:39 +02:00
|
|
|
|
2022-01-17 17:58:25 +01:00
|
|
|
When sending a message:
|
2021-04-28 16:49:39 +02:00
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,javascript]
|
2021-04-28 16:49:39 +02:00
|
|
|
----
|
|
|
|
|
var iframe = document.getElementById("testsecureiframe");
|
|
|
|
|
iframe.contentWindow.postMessage("hello", "https://secure.example.com"); // Compliant
|
|
|
|
|
----
|
2022-01-17 17:58:25 +01:00
|
|
|
When receiving a message:
|
2021-04-28 16:49:39 +02:00
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,javascript]
|
2021-04-28 16:49:39 +02:00
|
|
|
----
|
|
|
|
|
window.addEventListener("message", function(event) {
|
|
|
|
|
|
|
|
|
|
if (event.origin !== "http://example.org") // Compliant
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
console.log(event.data)
|
|
|
|
|
});
|
|
|
|
|
----
|
|
|
|
|
|
2021-04-28 18:08:03 +02:00
|
|
|
|
2023-05-03 11:06:20 +02:00
|
|
|
== Resources
|
2021-04-28 16:49:39 +02:00
|
|
|
|
2021-11-01 15:00:32 +01:00
|
|
|
* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control
|
2022-07-08 13:58:56 +02:00
|
|
|
* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication
|
2021-04-28 16:49:39 +02:00
|
|
|
* https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage[developer.mozilla.org] - postMessage API
|
2022-04-01 09:54:11 +02:00
|
|
|
* https://cwe.mitre.org/data/definitions/345.html[MITRE, CWE-345] - Insufficient Verification of Data Authenticity
|
2021-04-28 18:08:03 +02:00
|
|
|
|
|
|
|
|
|
2021-06-02 20:44:38 +02:00
|
|
|
|
2021-06-03 09:05:38 +02:00
|
|
|
ifdef::env-github,rspecator-view[]
|
2021-09-20 15:38:42 +02:00
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
== Implementation Specification
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
|
|
|
|
include::message.adoc[]
|
|
|
|
|
|
2021-06-08 15:52:13 +02:00
|
|
|
'''
|
2021-06-02 20:44:38 +02:00
|
|
|
== Comments And Links
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
|
|
|
|
include::comments-and-links.adoc[]
|
2021-06-03 09:05:38 +02:00
|
|
|
endif::env-github,rspecator-view[]
|
