Missing origin verification in postMessage handler¶
ID: js/missing-origin-check
Kind: problem
Security severity: 5
Severity: warning
Precision: medium
Tags:
- correctness
- security
- external/cwe/cwe-020
- external/cwe/cwe-940
Query suites:
- javascript-security-extended.qls
- javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
The "message" event is used to send messages between windows. An untrusted window can send a message to a trusted window, and it is up to the receiver to verify the legitimacy of the message. One way of performing that verification is to check the origin of the message ensure that it originates from a trusted window.
Recommendation¶
Always verify the origin of incoming messages.
Example¶
The example below uses a received message to execute some code. However, the origin of the message is not checked, so it might be possible for an attacker to execute arbitrary code.
function postMessageHandler(event) {
let origin = event.origin.toLowerCase();
console.log(origin)
// BAD: the origin property is not checked
eval(event.data);
}
window.addEventListener('message', postMessageHandler, false);
The example is fixed below, where the origin is checked to be trusted. It is therefore not possible for a malicious user to perform an attack using an untrusted origin.
function postMessageHandler(event) {
console.log(event.origin)
// GOOD: the origin property is checked
if (event.origin === 'https://www.example.com') {
// do something
}
}
window.addEventListener('message', postMessageHandler, false);