postMessage Broadcasts

postMessage Broadcasts

October 1, 2020
Abuse postMessage
Category Attack
Defenses Application Fix

Applications often use postMessage broadcasts to share information with other origins. Using postMessage can lead to two kinds of XS-Leaks:

  • Sharing sensitive messages with untrusted origins

    • The postMessage API supports a targetOrigin parameter that can be used to restrict which origins can receive the message. If the message contains any sensitive data, it is important to use this parameter.
  • Leaking information based on varying content or on the presence of a broadcast

    • Similar to other XS-Leak techniques, this could be used to form an oracle. For example, if an application sends a postMessage broadcast saying “Page Loaded” only if a user with a given username exists, this could be used to leak information.

Defense #

There is no clear solution to mitigate this XS-Leak as it depends deeply on the purpose of sending a postMessage broadcast. Applications should limit postMessage communications to a group of known origins. When this is not possible, the communications should behave consistently regardless of the state to prevent attackers from inferring information based on differences between the communications.

References #