== Why is this an issue?

HTML5's cross-window messaging adds the ability to send messages directly from one window (or iframe) to another, without having to go through a server. This makes it easier to write interesting and responsive web sites, but adds vulnerability as well, since the same-origin policy does not apply here. For that reason, cross-window messaging listeners should always check message origins and use only those from trusted sites.


This rule raises an issue on each cross-window messaging listener that does not check message origins.


=== Noncompliant code example

[source,javascript]
----
window.addEventListener("message", function (event){  // Noncompliant
  // ...
}, false);
----


== Resources

* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)]
* https://dl.packetstormsecurity.net/papers/attack/HTML5AttackVectors_RafayBaloch_UPDATED.pdf[Packet Storm Security] - HTML 5 Modern Day Attack And Defence Vectors



ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure this listener only acts on messages from trusted origins.


'''
== Comments And Links
(visible only on this page)

=== on 12 Nov 2015, 18:09:06 Linda Martin wrote:
OK!

endif::env-github,rspecator-view[]