16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
82 lines
2.3 KiB
Plaintext
82 lines
2.3 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Browsers https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage[allow message exchanges] between Window objects of different origins.
|
|
|
|
Because any window can send or receive messages from another window, it is important to verify the sender's/receiver's identity:
|
|
|
|
* When sending a message with the postMessage method, the identity's receiver should be defined (the wildcard keyword (``++*++``) should not be used).
|
|
* When receiving a message with a message event, the sender's identity should be verified using the origin and possibly source properties.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
When sending a message:
|
|
|
|
[source,javascript]
|
|
----
|
|
var iframe = document.getElementById("testiframe");
|
|
iframe.contentWindow.postMessage("secret", "*"); // Noncompliant: * is used
|
|
----
|
|
When receiving a message:
|
|
|
|
[source,javascript]
|
|
----
|
|
window.addEventListener("message", function(event) { // Noncompliant: no checks are done on the origin property.
|
|
console.log(event.data);
|
|
});
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
When sending a message:
|
|
|
|
[source,javascript]
|
|
----
|
|
var iframe = document.getElementById("testsecureiframe");
|
|
iframe.contentWindow.postMessage("hello", "https://secure.example.com"); // Compliant
|
|
----
|
|
When receiving a message:
|
|
|
|
[source,javascript]
|
|
----
|
|
window.addEventListener("message", function(event) {
|
|
|
|
if (event.origin !== "http://example.org") // Compliant
|
|
return;
|
|
|
|
console.log(event.data)
|
|
});
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control
|
|
* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication
|
|
* https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage[developer.mozilla.org] - postMessage API
|
|
* https://cwe.mitre.org/data/definitions/345.html[MITRE, CWE-345] - Insufficient Verification of Data Authenticity
|
|
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
For a message reception: Verify the origin of the received message.
|
|
For a message send-out: Specify a target origin for this message.
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 20 May 2015, 07:10:27 Linda Martin wrote:
|
|
OK!
|
|
|
|
endif::env-github,rspecator-view[]
|