ABSTRACT

The program posts a cross-document message with an overly permissive target origin.

EXPLANATION

One of the new features of HTML5 is cross-document messaging. The feature allows scripts to post messages to other windows. The corresponding API allows the user to specify the origin of the target window. However, caution should be taken when specifying the target origin because an overly permissive target origin will allow a malicious script to communicate with the victim window in an inappropriate way, leading to spoofing, data theft, relay and other attacks.

Example 1: Below is an example of using a wildcard to programmatically specify the target origin of the message to be sent.


o.contentWindow.postMessage(message, '*');


Using the * as the value of the target origin indicates that the script is sending a message to a window regardless of its origin.

REFERENCES

[1] Philippe De Ryck, Lieven Desmet, Pieter Philippaerts, and Frank Piessens A Security Analysis of Next Generation Web Standards

[2] Michael Schmidt HTML5 Web Security

[3] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.10