Skip to content

Instantly share code, notes, and snippets.

Created June 27, 2012 18:18
  • Star 61 You must be signed in to star a gist
  • Fork 9 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save jedp/3005816 to your computer and use it in GitHub Desktop.
postMessage() security review checklist

Security-Reviewing Uses of postMessage()

The postMessage() API is an HTML5 extension that permits string message-passing between frames that don't share the same origin. It is available in all modern browsers. It is not supported in IE6 and IE7.

postMessage is generally considered very secure as long as the programmer is careful to check the origin and source of an arriving message. Acting on a message without verifying its source opens a vector for cross-site scripting attacks. See Zalewski [4].

For some historical background, Barth et al. [3] describe prior cross-frame communication hacks. Section 4.2 explains how the origin parameter patches XSS vulnerabilities. Without the origin parameter, an attacker could cause a child frame engaged in message-passing with the parent to navigate away to a different site, with the result that the message could be delivered to the attacker.

Checklist for postMessage Security Review

Based on the considerations described in the References below, here is a checklist for assessing uses of postMessage():

  • Does the browser support postMessage?
  • Is the message origin correct?
  • Is the message data sanitized?
  • Is the message data validated?
  • Are messages received only from known origins?
  • Are origins matched using strict equality (so no indexOf("") > 0)?
  • Are messages sent without using wildcards in the origin?




[3] "Securing Frame Communication in Browsers," Adam Barth, Collin Jackson, and John C. Mitchell, 2008;

[4] "The Tangled Web," Michael Zalewski, 2012; pages 144-145.

Copy link

Great summary! Straight to the point and very good checklist.

Copy link

Marwil96 commented May 2, 2019

Thanks! Great list

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment