Browsers https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage[allow message exchanges] between Window objects of different origins. Because any window can send or receive messages from another window, it is important to verify the sender's/receiver's identity: * When sending a message with the postMessage method, the identity's receiver should be defined (the wildcard keyword (``++*++``) should not be used). * When receiving a message with a message event, the sender's identity should be verified using the origin and possibly source properties. == Noncompliant Code Example When sending a message: [source,javascript] ---- var iframe = document.getElementById("testiframe"); iframe.contentWindow.postMessage("secret", "*"); // Noncompliant: * is used ---- When receiving a message: [source,javascript] ---- window.addEventListener("message", function(event) { // Noncompliant: no checks are done on the origin property. console.log(event.data); }); ---- == Compliant Solution When sending a message: [source,javascript] ---- var iframe = document.getElementById("testsecureiframe"); iframe.contentWindow.postMessage("hello", "https://secure.example.com"); // Compliant ---- When receiving a message: [source,javascript] ---- window.addEventListener("message", function(event) { if (event.origin !== "http://example.org") // Compliant return; console.log(event.data) }); ---- == See * https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control * https://www.owasp.org/index.php/Top_10_2010-A3-Broken_Authentication_and_Session_Management[OWASP Top 10 2017 Category A3] - Broken Authentication and Session Management * https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage[developer.mozilla.org] - postMessage API * https://cwe.mitre.org/data/definitions/345.html[MITRE, CWE-345] - Insufficient Verification of Data Authenticity ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::message.adoc[] ''' == Comments And Links (visible only on this page) include::comments-and-links.adoc[] endif::env-github,rspecator-view[]