CodeQL documentation

Missing origin verification in postMessage handler

ID: js/missing-origin-check
Kind: problem
Security severity: 5
Severity: warning
Precision: medium
Tags:
   - correctness
   - security
   - external/cwe/cwe-020
   - external/cwe/cwe-940
Query suites:
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

The "message" event is used to send messages between windows. An untrusted window can send a message to a trusted window, and it is up to the receiver to verify the legitimacy of the message. One way of performing that verification is to check the origin of the message ensure that it originates from a trusted window.

Recommendation

Always verify the origin of incoming messages.

Example

The example below uses a received message to execute some code. However, the origin of the message is not checked, so it might be possible for an attacker to execute arbitrary code.

function postMessageHandler(event) {
    let origin = event.origin.toLowerCase();

    console.log(origin)
    // BAD: the origin property is not checked
    eval(event.data);
}

window.addEventListener('message', postMessageHandler, false);

The example is fixed below, where the origin is checked to be trusted. It is therefore not possible for a malicious user to perform an attack using an untrusted origin.

function postMessageHandler(event) {
    console.log(event.origin)
    // GOOD: the origin property is checked
    if (event.origin === 'https://www.example.com') {
        // do something
    }
}

window.addEventListener('message', postMessageHandler, false);

References

  • © GitHub, Inc.
  • Terms
  • Privacy