保護DataHogo
Security Encyclopedia/Frontend & Browser
mediumCWE-346A01:2021

PostMessage Without Origin Verification

window.addEventListener('message') handlers that process messages without checking the event.origin, allowing any website to send commands to your app's message handler.

How It Works

postMessage is used for cross-origin iframe communication. When you listen for messages without verifying origin, any page on the internet can send a message to your window (if they can get a reference to it via a popup or iframe). If your handler performs actions based on message data, the attacker controls those actions.

Vulnerable Code
// BAD: no origin check — any site can send messages
window.addEventListener('message', (event) => {
  if (event.data.type === 'navigate') {
    window.location.href = event.data.url; // open redirect via postMessage
  }
});
Secure Code
// GOOD: verify origin before processing
window.addEventListener('message', (event) => {
  if (event.origin !== 'https://trusted-parent.com') return;
  if (event.data.type === 'navigate') {
    const allowed = ['/dashboard', '/settings'];
    if (allowed.includes(event.data.url)) window.location.href = event.data.url;
  }
});

Real-World Example

PostMessage origin bypass vulnerabilities have been found in payment widgets, OAuth popups, and chat widgets. Attackers can redirect users, steal tokens passed via postMessage, or trigger actions in the embedded frame. HackerOne has hundreds of reports for this class.

How to Prevent It

  • Always check event.origin against a hardcoded allowlist before processing any message
  • Validate the structure and content of event.data — don't trust it blindly
  • Use a specific message protocol/type system and ignore unknown message types
  • When sending messages, always specify the targetOrigin parameter (never use '*')

Affected Technologies

ReactNext.jsjavascript

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

DOM-Based XSS

high

Malicious scripts executed by reading attacker-controlled data from the URL or browser APIs and writing it to the DOM using dangerous sinks like innerHTML or document.write.

CWE-79A03:2021

Stored XSS

high

User-supplied content saved to the database without sanitization and rendered in the browser as HTML, allowing persistent script injection that executes for every user who views the content.

CWE-79A03:2021

Advanced Clickjacking

medium

Absence of both X-Frame-Options and CSP frame-ancestors headers, combined with no client-side frame-busting logic, leaving the app fully embeddable in malicious iframes.

CWE-1021A05:2021

Iframe Without Sandbox Attribute

medium

Third-party or user-generated content loaded in an iframe without the sandbox attribute, allowing that content to run scripts, access parent cookies, and navigate the top-level frame.

CWE-693A05:2021