Security issue detected - the program posts a cross-document message with an overly permissive target origin #3112
pankajkh-07
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
One of the new features of HTML5 is cross-document messaging. The feature allows scripts to post messages to other windows. The corresponding API allows the user to specify the origin of the target window. However, caution should be taken when specifying the target origin because an overly permissive target origin will allow a malicious script to communicate with the victim window in an inappropriate way, leading to spoofing, data theft, relay, and other attacks.
Example 1: The following example uses a wildcard to programmatically specify the target origin of the message to be sent.
o.contentWindow.postMessage(message, '*');
Using the * as the value of the target origin indicates that the script is sending a message to a window regardless of its origin.
Is there any ways to tackle this issue at the time of configuration?
Beta Was this translation helpful? Give feedback.
All reactions