Permissive origin in postMessage

• Rule ID: javascript_lang_post_message_origin
• Languages: javascript
• Source: post_message_origin.yml

Description

The use of a permissive origin in postMessage calls poses a security risk. When you set the target origin to "*" in a postMessage call, it means any website can receive the message, potentially exposing sensitive information to third parties.

Remediations

• Do not use "*" as the target origin in postMessage calls. This approach is insecure as it allows any website to receive the messages.

  window.postMessage(message, '*'); // unsafe

• Do specify the exact origin of the target application when using postMessage. This practice ensures that only the intended recipient can read the message.

  window.postMessage(message, 'https://myapp.example.com');

Associated CWE

• CWE-346: Origin Validation Error

OWASP Top 10

• A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_post_message_origin

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_post_message_origin