Shopping Cart

No products in the cart.

Quality Clouds Community
Quality Clouds Community
View Categories

JavaScript – Avoid Unrestricted targetOrigin On Cross-Domain Messaging

Table of Contents
Impact Area

Security

Severity

High

Affected Element

All

Rule number #

SN-0134

Impact #

HTML5 adds the ability to send messages to documents served from other domains. If improperly used, this can cause a data leak.

Remediation #

Do not use unrestricted targetOrigin calls.

Time to fix

20 min

References #

This rule is linked to Common Weakness Enumeration CWE-1021 Improper Restriction of Rendered UI Layers or Frames.

Code examples #

Noncompliant code

When sending message: var iframe = document.getElementById("testiframe"); iframe.contentWindow.postMessage("secret", "*"); // Noncompliant: * is used

When receiving message: window.addEventListener("message", function(event) { // Noncompliant: no checks are done on the origin property. console.log(event.data); });

Compliant code

When sending message: var iframe = document.getElementById("testsecureiframe"); iframe.contentWindow.postMessage("hello", "https://secure.example.com"); // Compliant

When receiving message: window.addEventListener("message", function(event) { if (event.origin !== "http://example.org") // Compliant return; });

What are your Feelings

Powered by BetterDocs

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups

Please allow a few minutes for this process to complete.

Report

You have already reported this .