postMessage Broadcasts

October 1, 2020

Applications often use postMessage broadcasts to share information with other origins. Using postMessage can lead to two kinds of XS-Leaks: Sharing sensitive messages with untrusted origins The postMessage API supports a targetOrigin parameter that can be used to restrict which origins can receive the message. If the message contains any sensitive data, it is important to use this parameter. Leaking information based on varying content or on the presence of a broadcast ...