18 lines
973 B
Plaintext
18 lines
973 B
Plaintext
HTML5's cross-window messaging adds the ability to send messages directly from one window (or iframe) to another, without having to go through a server. This makes it easier to write interesting and responsive web sites, but adds vulnerability as well, since the same-origin policy does not apply here. For that reason, cross-window messaging listeners should always check message origins and use only those from trusted sites.
|
|
|
|
|
|
This rule raises an issue on each cross-window messaging listener that does not check message origins.
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
window.addEventListener("message", function (event){ // Noncompliant
|
|
// ...
|
|
}, false);
|
|
----
|
|
|
|
== See
|
|
|
|
* https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
|
|
* https://dl.packetstormsecurity.net/papers/attack/HTML5AttackVectors_RafayBaloch_UPDATED.pdf[Packet Storm Security] - HTML 5 Modern Day Attack And Defence Vectors
|