== Why is this an issue? Browsers https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage[allow message exchanges] between Window objects of different origins. Because any window can send or receive messages from another window, it is important to verify the sender's/receiver's identity: * When sending a message with the postMessage method, the identity's receiver should be defined (the wildcard keyword (``++*++``) should not be used). * When receiving a message with a message event, the sender's identity should be verified using the origin and possibly source properties. === Noncompliant code example When sending a message: [source,javascript] ---- var iframe = document.getElementById("testiframe"); iframe.contentWindow.postMessage("secret", "*"); // Noncompliant: * is used ---- When receiving a message: [source,javascript] ---- window.addEventListener("message", function(event) { // Noncompliant: no checks are done on the origin property. console.log(event.data); }); ---- === Compliant solution When sending a message: [source,javascript] ---- var iframe = document.getElementById("testsecureiframe"); iframe.contentWindow.postMessage("hello", "https://secure.example.com"); // Compliant ---- When receiving a message: [source,javascript] ---- window.addEventListener("message", function(event) { if (event.origin !== "http://example.org") // Compliant return; console.log(event.data) }); ---- == Resources * https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control * https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication * https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage[developer.mozilla.org] - postMessage API * https://cwe.mitre.org/data/definitions/345.html[MITRE, CWE-345] - Insufficient Verification of Data Authenticity ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::message.adoc[] ''' == Comments And Links (visible only on this page) include::comments-and-links.adoc[] endif::env-github,rspecator-view[]