Permissive origin in postMessage

Overview

• Rule ID: java_lang_information_leakage

• Applicable Languages: Javascript

• Weakness ID: CWE-346

Description

Using a permissive origin in postMessage calls presents a security risk. Setting the target origin to "*" in a postMessage call means that any website can receive the message, potentially exposing sensitive information to unauthorized parties.

Remediation Guidelines

• Do not use "*" as the target origin in postMessage calls. This practice is insecure because it permits any website to receive the messages.

  Copy

  window.postMessage(message, '*'); // unsafe

• Do specify the precise origin of the target application when using postMessage. This ensures that only the intended recipient can access the message.

  Copy

  window.postMessage(message, 'https://myapp.example.com');

References

• CWE-346: Origin Validation Error

• OWASP Top 10: A07:2021 - Identification and Authentication Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL