16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
45 lines
1.3 KiB
Plaintext
45 lines
1.3 KiB
Plaintext
== Why is this an issue?
|
|
|
|
HTML5's cross-window messaging adds the ability to send messages directly from one window (or iframe) to another, without having to go through a server. This makes it easier to write interesting and responsive web sites, but adds vulnerability as well, since the same-origin policy does not apply here. For that reason, cross-window messaging listeners should always check message origins and use only those from trusted sites.
|
|
|
|
|
|
This rule raises an issue on each cross-window messaging listener that does not check message origins.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,javascript]
|
|
----
|
|
window.addEventListener("message", function (event){ // Noncompliant
|
|
// ...
|
|
}, false);
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
|
|
* https://dl.packetstormsecurity.net/papers/attack/HTML5AttackVectors_RafayBaloch_UPDATED.pdf[Packet Storm Security] - HTML 5 Modern Day Attack And Defence Vectors
|
|
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Make sure this listener only acts on messages from trusted origins.
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 12 Nov 2015, 18:09:06 Linda Martin wrote:
|
|
OK!
|
|
|
|
endif::env-github,rspecator-view[]
|