Skip to content

Instantly share code, notes, and snippets.

@jedp
Created June 27, 2012 18:18
Show Gist options
  • Save jedp/3005816 to your computer and use it in GitHub Desktop.
Save jedp/3005816 to your computer and use it in GitHub Desktop.
postMessage() security review checklist

Security-Reviewing Uses of postMessage()

The postMessage() API is an HTML5 extension that permits string message-passing between frames that don't share the same origin. It is available in all modern browsers. It is not supported in IE6 and IE7.

postMessage is generally considered very secure as long as the programmer is careful to check the origin and source of an arriving message. Acting on a message without verifying its source opens a vector for cross-site scripting attacks. See Zalewski [4].

For some historical background, Barth et al. [3] describe prior cross-frame communication hacks. Section 4.2 explains how the origin parameter patches XSS vulnerabilities. Without the origin parameter, an attacker could cause a child frame engaged in message-passing with the parent to navigate away to a different site, with the result that the message could be delivered to the attacker.

Checklist for postMessage Security Review

Based on the considerations described in the References below, here is a checklist for assessing uses of postMessage():

  • Does the browser support postMessage?
  • Is the message origin correct?
  • Is the message data sanitized?
  • Is the message data validated?
  • Are messages received only from known origins?
  • Are origins matched using strict equality (so no indexOf(".foo.com") > 0)?
  • Are messages sent without using wildcards in the origin?

References

[1] http://www.whatwg.org/specs/web-apps/current-work/multipage/web-messaging.html#web-messaging

[2] https://developer.mozilla.org/en/DOM/window.postMessage

[3] "Securing Frame Communication in Browsers," Adam Barth, Collin Jackson, and John C. Mitchell, 2008; http://seclab.stanford.edu/websec/frames/post-message.pdf

[4] "The Tangled Web," Michael Zalewski, 2012; pages 144-145.

@h3xstream
Copy link

Great summary! Straight to the point and very good checklist.

@Marwil96
Copy link

Marwil96 commented May 2, 2019

Thanks! Great list

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment