Unverified origins of messages and identities in cross-origin communications can allow attackers access to web applications and servers through unauthenticated requests. This access can result in redirection to malicious websites, information leakage, or modification of target applications through the takeover of user accounts.
1function originsVerifiedCrossOriginCommunicationsNoncompliant() {
2 var iframe = document?.querySelector(".testiframe") as HTMLIFrameElement;
3 // Noncompliant: the wildcard keyword `*` is used.
4 iframe?.contentWindow?.postMessage("secret_value", "*");
5}
1function originsVerifiedCrossOriginCommunicationsCompliant() {
2 var iframe = document?.querySelector(".testiframe") as HTMLIFrameElement;
3 // Compliant: using secure origin.
4 iframe?.contentWindow?.postMessage(
5 "secret_value",
6 "https://secure.example.com",
7 );
8}