The postMessage()
API is an HTML5 extension that permits string
message-passing between frames that don't share the same origin. It
is available in all modern browsers. It is not supported in IE6 and
IE7.
postMessage is generally considered very secure as long as the programmer is careful to check the origin and source of an arriving message. Acting on a message without verifying its source opens a vector for cross-site scripting attacks. See Zalewski [4].
For some historical background, Barth et al. [3] describe prior cross-frame communication hacks. Section 4.2 explains how the origin parameter patches XSS vulnerabilities. Without the origin parameter, an attacker could cause a child frame engaged in message-passing with the parent to navigate away to a different site, with the result that the message could be delivered to the attacker.
Based on the considerations described in the References below, here is
a checklist for assessing uses of postMessage()
:
- Does the browser support postMessage?
- Is the message origin correct?
- Is the message data sanitized?
- Is the message data validated?
- Are messages received only from known origins?
- Are origins matched using strict equality (so no
indexOf(".foo.com") > 0
)? - Are messages sent without using wildcards in the origin?
[1] http://www.whatwg.org/specs/web-apps/current-work/multipage/web-messaging.html#web-messaging
[2] https://developer.mozilla.org/en/DOM/window.postMessage
[3] "Securing Frame Communication in Browsers," Adam Barth, Collin Jackson, and John C. Mitchell, 2008; http://seclab.stanford.edu/websec/frames/post-message.pdf
[4] "The Tangled Web," Michael Zalewski, 2012; pages 144-145.
Great summary! Straight to the point and very good checklist.