postMessage Broadcasts

October 1, 2020

Applications often use postMessage broadcasts to share information with other origins. Using postMessage can lead to two kinds of XS-Leaks:

• Sharing sensitive messages with untrusted origins

  • The postMessage API supports a targetOrigin parameter that can be used to restrict which origins can receive the message. If the message contains any sensitive data, it is important to use this parameter.

• Leaking information based on varying content or on the presence of a broadcast

  ...