Come usare postMessage in modo sicuro

Le istruzioni di sicurezza del W3C per questo sono sorprendentemente precise e complete:

Authors should check the origin attribute to ensure that messages are only accepted from domains that they expect to receive messages from. Otherwise, bugs in the author's message handling code could be exploited by hostile sites.

Furthermore, even after checking the origin attribute, authors should also check that the data in question is of the expected format. Otherwise, if the source of the event has been attacked using a cross-site scripting flaw, further unchecked processing of information sent using the postMessage() method could result in the attack being propagated into the receiver.

Authors should not use the wildcard keyword (*) in the targetOrigin argument in messages that contain any confidential information, as otherwise there is no way to guarantee that the message is only delivered to the recipient to which it was intended.

Authors who accept messages from any origin are encouraged to consider the risks of a denial-of-service attack. An attacker could send a high volume of messages; if the receiving page performs expensive computation or causes network traffic to be sent for each such message, the attacker's message could be multplied into a denial-of-service attack. Authors are encouraged to employ rate limiting (only accepting a certain number of messages per minute) to make such attacks impractical.

La cosa più importante è sempre convalidare l'origine: rimarrai sorpreso dal numero di siti che non riescono a farlo. Se il messaggio è confidenziale, è necessario specificare l'argomento targetOrigin.

Questo naturalmente presuppone che l'implementazione del browser sia corretta e senza buchi. I principali browser sono stati valutati e non sono stati trovati problemi.

Consulta anche questo Elenco di controllo per la revisione della sicurezza post-messaggio .