45 lines
1.3 KiB
Plaintext
45 lines
1.3 KiB
Plaintext
== Why is this an issue?
|
|
|
|
HTML5's cross-window messaging adds the ability to send messages directly from one window (or iframe) to another, without having to go through a server. This makes it easier to write interesting and responsive web sites, but adds vulnerability as well, since the same-origin policy does not apply here. For that reason, cross-window messaging listeners should always check message origins and use only those from trusted sites.
|
|
|
|
|
|
This rule raises an issue on each cross-window messaging listener that does not check message origins.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,javascript]
|
|
----
|
|
window.addEventListener("message", function (event){ // Noncompliant
|
|
// ...
|
|
}, false);
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)]
|
|
* https://dl.packetstormsecurity.net/papers/attack/HTML5AttackVectors_RafayBaloch_UPDATED.pdf[Packet Storm Security] - HTML 5 Modern Day Attack And Defence Vectors
|
|
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Make sure this listener only acts on messages from trusted origins.
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 12 Nov 2015, 18:09:06 Linda Martin wrote:
|
|
OK!
|
|
|
|
endif::env-github,rspecator-view[]
|