Permissive origin in postMessage
Last updated
Last updated
Rule ID: java_lang_information_leakage
Applicable Languages: Javascript
Weakness ID: CWE-346
Using a permissive origin in postMessage
calls presents a security risk. Setting the target origin to "*"
in a postMessage
call means that any website can receive the message, potentially exposing sensitive information to unauthorized parties.
Do not use "*"
as the target origin in postMessage
calls. This practice is insecure because it permits any website to receive the messages.
Do specify the precise origin of the target application when using postMessage
. This ensures that only the intended recipient can access the message.
To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our