Missing origin verification inpostMessage handler¶
ID: js/missing-origin-checkKind: problemSecurity severity: 5Severity: warningPrecision: mediumTags: - correctness - security - external/cwe/cwe-020 - external/cwe/cwe-940Query suites: - javascript-security-extended.qls - javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
The"message" event is used to send messages between windows. An untrusted window can send a message to a trusted window, and it is up to the receiver to verify the legitimacy of the message. One way of performing that verification is to check theorigin of the message ensure that it originates from a trusted window.
Recommendation¶
Always verify the origin of incoming messages.
Example¶
The example below uses a received message to execute some code. However, the origin of the message is not checked, so it might be possible for an attacker to execute arbitrary code.
functionpostMessageHandler(event){letorigin=event.origin.toLowerCase();console.log(origin)// BAD: the origin property is not checkedeval(event.data);}window.addEventListener('message',postMessageHandler,false);
The example is fixed below, where the origin is checked to be trusted. It is therefore not possible for a malicious user to perform an attack using an untrusted origin.
functionpostMessageHandler(event){console.log(event.origin)// GOOD: the origin property is checkedif(event.origin==='https://www.example.com'){// do something}}window.addEventListener('message',postMessageHandler,false);