Instantly share code, notes, and snippets.

Embed
What would you like to do?
postMessage() security review checklist

Security-Reviewing Uses of postMessage()

The postMessage() API is an HTML5 extension that permits string message-passing between frames that don't share the same origin. It is available in all modern browsers. It is not supported in IE6 and IE7.

postMessage is generally considered very secure as long as the programmer is careful to check the origin and source of an arriving message. Acting on a message without verifying its source opens a vector for cross-site scripting attacks. See Zalewski [4].

For some historical background, Barth et al. [3] describe prior cross-frame communication hacks. Section 4.2 explains how the origin parameter patches XSS vulnerabilities. Without the origin parameter, an attacker could cause a child frame engaged in message-passing with the parent to navigate away to a different site, with the result that the message could be delivered to the attacker.

Checklist for postMessage Security Review

Based on the considerations described in the References below, here is a checklist for assessing uses of postMessage():

  • Does the browser support postMessage?
  • Is the message origin correct?
  • Is the message data sanitized?
  • Is the message data validated?
  • Are messages received only from known origins?
  • Are origins matched using strict equality (so no indexOf(".foo.com") > 0)?
  • Are messages sent without using wildcards in the origin?

References

[1] http://www.whatwg.org/specs/web-apps/current-work/multipage/web-messaging.html#web-messaging

[2] https://developer.mozilla.org/en/DOM/window.postMessage

[3] "Securing Frame Communication in Browsers," Adam Barth, Collin Jackson, and John C. Mitchell, 2008; http://seclab.stanford.edu/websec/frames/post-message.pdf

[4] "The Tangled Web," Michael Zalewski, 2012; pages 144-145.

@h3xstream

This comment has been minimized.

h3xstream commented Jun 4, 2015

Great summary! Straight to the point and very good checklist.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment