Created
June 27, 2012 18:18
-
-
Save jedp/3005816 to your computer and use it in GitHub Desktop.
Revisions
-
jedp revised this gist
Jun 27, 2012 . 1 changed file with 4 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -25,12 +25,12 @@ Based on the considerations described in the References below, here is a checklist for assessing uses of `postMessage()`: - Does the browser support postMessage? - Is the message origin correct? - Is the message data sanitized? - Is the message data validated? - Are messages received only from known origins? - Are origins matched using strict equality (so no `indexOf(".foo.com") > 0`)? - Are messages sent without using wildcards in the origin? References ========== -
Jun 27, 2012 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,46 @@ Security-Reviewing Uses of `postMessage()` ========================================== The `postMessage()` API is an HTML5 extension that permits string message-passing between frames that don't share the same origin. It is available in all modern browsers. It is not supported in IE6 and IE7. postMessage is generally considered very secure as long as the programmer is careful to check the origin and source of an arriving message. Acting on a message without verifying its source opens a vector for cross-site scripting attacks. See Zalewski [4]. For some historical background, Barth et al. [3] describe prior cross-frame communication hacks. Section 4.2 explains how the origin parameter patches XSS vulnerabilities. Without the origin parameter, an attacker could cause a child frame engaged in message-passing with the parent to navigate away to a different site, with the result that the message could be delivered to the attacker. Checklist for postMessage Security Review ========================================= Based on the considerations described in the References below, here is a checklist for assessing uses of `postMessage()`: - Does the browser support postMessage? - Is the message origin valid? - Is the message data sanitized? - Is the message data validated? - Are messages received from other than known origins? - Are origins matched in a fuzzy way (like `indexOf(".foo.com") > 0`)? - Are messages sent with a wildcard in the target origin? References ========== [1] http://www.whatwg.org/specs/web-apps/current-work/multipage/web-messaging.html#web-messaging [2] https://developer.mozilla.org/en/DOM/window.postMessage [3] "Securing Frame Communication in Browsers," Adam Barth, Collin Jackson, and John C. Mitchell, 2008; http://seclab.stanford.edu/websec/frames/post-message.pdf [4] "The Tangled Web," Michael Zalewski, 2012; pages 144-145.