38 lines
1.2 KiB
Plaintext
38 lines
1.2 KiB
Plaintext
HTML5's cross-window messaging adds the ability to send messages directly from one window (or iframe) to another, without having to go through a server. This makes it easier to write interesting and responsive web sites, but adds vulnerability as well, since the same-origin policy does not apply here. For that reason, cross-window messaging listeners should always check message origins and use only those from trusted sites.
|
|
|
|
|
|
This rule raises an issue on each cross-window messaging listener that does not check message origins.
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
[source,javascript]
|
|
----
|
|
window.addEventListener("message", function (event){ // Noncompliant
|
|
// ...
|
|
}, false);
|
|
----
|
|
|
|
|
|
== See
|
|
|
|
* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
|
|
* https://dl.packetstormsecurity.net/papers/attack/HTML5AttackVectors_RafayBaloch_UPDATED.pdf[Packet Storm Security] - HTML 5 Modern Day Attack And Defence Vectors
|
|
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|