javascript - postMessage target origin - window.parent.origin vs "*" - Stack Overflow

admin管理员组

文章数量:1287504

Is window.parent.postMessage(message, window.parent.origin) more secure than window.parent.postMessage(message, '*')?

We have an iframe ponent that is loaded by a parent frame. That frame can be from anywhere (our web application is a shared ponent and can be accessed from any client installation of our main product). So we can't know in advance who loaded us unless we keep some kind of database with allowed origins which we don't.

We are sending a postMessage() to our parent frame, and we can't know the target origin in advance, so I put '*'. I colleague of mine suggested I use window.parent.origin instead, but as far as I understand this has the same effect - postMessage will check that the target origin is the same as itself! Not to mention that it fails when cross-domain.

So am I missing something here? Does using window.parent.origin confer any greater security than a wildcard?

Is window.parent.postMessage(message, window.parent.origin) more secure than window.parent.postMessage(message, '*')?

We have an iframe ponent that is loaded by a parent frame. That frame can be from anywhere (our web application is a shared ponent and can be accessed from any client installation of our main product). So we can't know in advance who loaded us unless we keep some kind of database with allowed origins which we don't.

We are sending a postMessage() to our parent frame, and we can't know the target origin in advance, so I put '*'. I colleague of mine suggested I use window.parent.origin instead, but as far as I understand this has the same effect - postMessage will check that the target origin is the same as itself! Not to mention that it fails when cross-domain.

So am I missing something here? Does using window.parent.origin confer any greater security than a wildcard?

• javascript
• postmessage

Share Improve this question Follow asked Apr 17, 2018 at 8:06 sashoalmsashoalm 79.7k136136 gold badges475475 silver badges820820 bronze badges 2

• Well without you providing a specific origin, I could possibly embed your ponent in my page, and then my page would be the receiver of whatever you send via postMessage - whether that could leak sensitive data, is for you to determine. (But simply getting the origin from the parent would not solve that issue either, of course.) – C3roe Commented Apr 17, 2018 at 8:12
• Well talking absolutely, the window.parent.origin option would indeed limit yourself to your own domain, so yes it would be safer, but probably not what you want. Can't you set up some API-key system, that the page using your ponents could post? – Kaiido Commented Apr 17, 2018 at 8:19

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 6

The wildcard "*" could be dangerous if parent page gets redirected to a malicious site that could receive your message with sensitive data.

In this particular case, the parent.origin wouldn't give any security benefits. Ideally, the ponent's server should be used to detect and the validate the origin of the parent window.

Is window.parent.postMessage(message, window.parent.origin) more secure than window.parent.postMessage(message, '*')?

It depends on what the danger is for you. And what do you consider safe use of your app.

Imagine that your iframe is hosted on domain A, and it is called from domain B. If in this case, sending messages from your iframe to the parent is considered dangerous, then yes - window.parent.postMessage(message, window.parent.origin) more secure than window.parent.postMessage(message, '*').

Using window.parent.origin as targetOrigin will not provide any data to the parent that hosted on a domain other than the iframe domain.

本文标签： javascriptpostMessage target originwindowparentorigin vs quot*quotStack Overflow