javascript - JS - How to securely use window.postMessage when the sender domain is unknown - Stack Overflow

admin管理员组

文章数量:1334150

I would like to create a secure postMessage connection (origin safe), with an Iframe that is created at runtime.

Current state: I have a script, that generates an iframe with a specific domain (domain.b in the example below). I want that iframe to receive messages only from the parent domain (the page that included my script). Since the parent domain is unknown at runtime, I'm thinking of a "Handshake" process as described and illustrated below:

1. Wait for Iframe to be loaded.
2. Send postMessage from the parent domain with it's origin.
3. Set the allowed origin to be the 1st received origin

Edit: More Info:

1. On my server I have a whitelist domains (for example domain.a, any.domain, domain.b)
2. My Goal is to integrate with some of my clients (for example domain.a , domain.b)
3. Once integrated I want to prevent hackers injecting Iframes that can listen to sensitive information over postMessage
4. I want to avoid checking the whitelist, I prefer to give some acessToken, but not sure what is the right flow.

Example 1:

---

Example 2:

Is that the right way to implement it?

I would like to create a secure postMessage connection (origin safe), with an Iframe that is created at runtime.

Current state: I have a script, that generates an iframe with a specific domain (domain.b. in the example below). I want that iframe to receive messages only from the parent domain (the page that included my script). Since the parent domain is unknown at runtime, I'm thinking of a "Handshake" process as described and illustrated below:

1. Wait for Iframe to be loaded.
2. Send postMessage from the parent domain with it's origin.
3. Set the allowed origin to be the 1st received origin

Edit: More Info:

1. On my server I have a whitelist domains (for example domain.a., any.domain., domain.b.)
2. My Goal is to integrate with some of my clients (for example domain.a. , domain.b.)
3. Once integrated I want to prevent hackers injecting Iframes that can listen to sensitive information over postMessage
4. I want to avoid checking the whitelist, I prefer to give some acessToken, but not sure what is the right flow.

Example 1:

---

Example 2:

Is that the right way to implement it?

• javascript
• security
• web
• cross-domain
• postmessage

Share Improve this question Follow edited Jul 5, 2013 at 7:43 Shlomi Schwartz asked Jul 1, 2013 at 11:57 Shlomi SchwartzShlomi Schwartz 8,9133030 gold badges119119 silver badges198198 bronze badges 6

• I believe you've made a mistake in your second example. I think wanted to say postMessage("any.domain.", "domain.b.") in your first postMessage! – Mehran Commented Jul 4, 2013 at 8:39
• You are right ... sorry for that – Shlomi Schwartz Commented Jul 4, 2013 at 11:38
• 1 Is there a reason why you don’t just provide the parent domain in the URL loaded within the iframe (<iframe src="http://b.example?source=a.example></iframe>)? The code in the iframe could then extract that information from its window.location.search to decide which is the correct safe source domain. – C Snover Commented Jul 4, 2013 at 20:54
• I like your idea, but not sure it is hacker free. – Shlomi Schwartz Commented Jul 5, 2013 at 7:44
• I'm confused! Are you developing the main window's code or the iframe's? – Mehran Commented Jul 5, 2013 at 11:11

 |  Show 1 more ment

1 Answer 1

Sorted by: Reset to default 5 +200

As mentioned here, you should not expect the parent's origin to be sent to you in postMessage's parameter. Instead:

If you do expect to receive messages from other sites, always verify the sender's identity using the origin and possibly source properties. Any window (including, for example, http://evil.example.) can send a message to any other window, and you have no guarantees that an unknown sender will not send malicious messages. Having verified identity, however, you still should always verify the syntax of the received message. Otherwise, a security hole in the site you trusted to send only trusted messages could then open a cross-site scripting hole in your site.

And once you have the main frame's URI in your iframe, you can verify its authorization with a simple AJAX call to the server. In my point of view, a server call is inevitable and one way or another you will make such a call.

There are other ways to know who is including your iframe but they are not relying on postMessage. For instance if you are using PHP, you can check $_SERVER['HTTP_REFERER'] to see who is requesting your iframe even before it is sent to the browser. Yet there are ways to referrer spoofing as well.

If your application requires a solid bullet proof solution then server to server munication is your way. In this scenario, each client of yours has a username and password and the web server who is going to serve the main page should ask for a one time pass token from the web server who is serving the iframe (this is a server to server munication). And then use the token in the iframe's URL to be sent back to the server generated it. Here's a step by step of this scenario:

1. End user asks for the URL http://customer./main.php.

2. While main.php is executing and populating the response, it also connects to http://you_website./generate_token.php?username=cutomer1&password=123 and gets a one time pass token token1.

3. The response is returned to the browser containing an iframe with URL http://your_website./iframe.php?token=token1.

4. In iframe.php you verify the token1 to see if it is valid, and , at the same time, you are authenticating the requester without actually asking for his username and/or password (since you know who you have generated the token for).

Such tokens are usually deleted once used (one time pass) and they also usually e with an expiration data. But that's up to you and your application.

本文标签： javascriptJSHow to securely use windowpostMessage when the sender domain is unknownStack Overflow