Permissive origin in postMessage

Overview

Rule ID: java_lang_information_leakage
Applicable Languages: Javascript
Weakness ID: CWE-346

Description

Using a permissive origin in postMessage calls presents a security risk. Setting the target origin to "*" in a postMessage call means that any website can receive the message, potentially exposing sensitive information to unauthorized parties.

Remediation Guidelines

Do not use "*" as the target origin in postMessage calls. This practice is insecure because it permits any website to receive the messages.
```
window.postMessage(message, '*'); // unsafe
```
Do specify the precise origin of the target application when using postMessage. This ensures that only the intended recipient can access the message.
```
window.postMessage(message, 'https://myapp.example.com');
```

References

Configuration

PreviousPermissive file assignment NextUnsanitized dynamic input in file path traversal

Last updated 8 months ago