Geek Answers Handbook

JS - How to safely use window.postMessage when the sender domain is unknown

I would like to create a secure postMessage connection (safe start), with an iframe created at runtime.

Current state: I have a script that generates an iframe with a specific domain ( domain.b.com in the example below). I want the iframe to receive messages only from the parent domain (the page that included my script). Since the parent domain is unknown at runtime, I am thinking of the β€œHandshake” process, as described and illustrated below:

  • Wait for the Iframe to load.
  • Send postMessage from the parent domain with its start.
  • Set the allowed start as the first source received.

Edit: Additional Information:

  • On my server, I have whitelist domains (e.g. domain.a.com, any.domain.com, domain.b.com)
  • My goal is to integrate with some of my clients (e.g. domain.a.com, domain.b.com)
  • After integration, I want hackers not to introduce Iframes that can listen to sensitive information through postMessage
  • I want to avoid whitelisting, I prefer to give some acessToken, but not sure what the correct stream is.

Example 1:

enter image description here

Example 2:

enter image description here

Is this right to implement?

+7
source share
1 answer

As already mentioned here , you should not expect that the parental origin will be sent to you in the postMessage parameter. Instead of this:

If you expect to receive messages from other sites, always check the sender ID using the origin and possibly source properties. Any window (including, for example, http://evil.example.com ) can send a message to any other window, and you have no guarantee that an unknown sender will not send malicious messages. After checking however, you should still always check the syntax of the received message. Otherwise, a security hole on the site that you trust to send only trusted messages could open cross-site scripting on your site.

And once you have the URI of the main frame in your iframe, you can check its authorization by simply calling AJAX on the server. From my point of view, a server call is inevitable, and somehow you will make such a call.

There are other ways to find out who includes your iframe, but they do not rely on postMessage . For example, if you use PHP, you can check $_SERVER['HTTP_REFERER'] to see who is requesting your iframe before it is sent to the browser. However, there are ways to link to spoofing .

If your application needs a solid solution with bulletproof rights, the connection between server and server is your way. In this case, each of your clients has a username and password, and the web server that will serve the main page must request a one-time pass marker from the web server that serves the iframe (this is the connection between the server and server). And then use the token in the iframe URL, which will be sent back to the server generated by it. Here is the step-by-step of this scenario:

  • The end user requests the URL http://customer.com/main.php .

  • While main.php executes and populates the response, it also connects to http://you_website.com/generate_token.php?username=cutomer1&password=123 and receives a one-time token1 token.

  • The response is returned to the browser containing the iframe with the URL http://your_website.com/iframe.php?token=token1 .

  • In iframe.php you check token1 to make sure it is valid, and at the same time, you authenticate the requestor without actually asking for its username and / or password (since you know who you generated the token for).

Such tokens are usually deleted after use (once), and they also usually have data on expiration. But it is up to you and your application.

+4
source

More articles:


All Articles