postMessage Broadcasts
October 1, 2020
Applications often use postMessage broadcasts to share information with other origins. Using postMessage can lead to two kinds of XS-Leaks:
Sharing sensitive messages with untrusted origins
- The
postMessageAPI supports atargetOriginparameter that can be used to restrict which origins can receive the message. If the message contains any sensitive data, it is important to use this parameter.
- The
Leaking information based on varying content or on the presence of a broadcast
- Similar to other XS-Leak techniques, this could be used to form an oracle. For example, if an application sends a postMessage broadcast saying “Page Loaded” only if a user with a given username exists, this could be used to leak information.
Defense #
There is no clear solution to mitigate this XS-Leak as it depends deeply on the purpose of sending a postMessage broadcast. Applications should limit postMessage communications to a group of known origins. When this is not possible, the communications should behave consistently regardless of the state to prevent attackers from inferring information based on differences between the communications.