Missing origin check in message handler
Overview
Rule ID:
javascript_lang_message_handler_origin
Applicable Languages: Javascript
Weakness ID: CWE-346
Description
Not verifying the origin of message events can make your application vulnerable to Cross-Site Scripting (XSS) attacks. This vulnerability occurs when an application processes messages without ensuring they come from a trusted source.
Remediation Guidelines
Avoid adding message event listeners without verifying the origin of the messages, as this can expose your application to malicious inputs. For example:
window.addEventListener('message', (event) => { actOnMessage(event.data) // unsafe });
Instead, validate the origin of incoming messages before processing them. Confirm that the message comes from a trusted source by checking the event's origin against a predefined list of allowed origins.
window.addEventListener('message', (event) => { if (event.origin != 'https://myapp.example.com') { throw new Error('invalid origin') } actOnMessage(event.data) })
References
Configuration
To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL
Last updated