Member-only story
postMessage Security Testing
What is postMessage()?
The window.postMessage() method safely enables cross-origin communication between window objects; e.g., between a page and a pop-up that it spawned, or between a page and an iframe embedded within it.
Normally, scripts on different pages are allowed to access each other if and only if the pages they originate from share the same protocol, port number, and host (also known as the “same-origin policy”). window.postMessage() provides a controlled mechanism to securely circumvent this restriction (if used properly).
Syntax
postMessage(message,targetOrigin,transfer)
Message-
Message is a serialized object that is to be sent from one window to another.
TargetOrigin -
Specifies what the origin of this window must be for the event to be dispatched, either as the literal string. Using ‘*’ as the value for this targetOrigin variable can discloses the data you send to any interested malicious site.
Transfer-
An optional array of transferable objects to transfer ownership of. If the ownership of an object is transferred, it becomes unusable in the context it was sent from and becomes available only to the worker it was sent to. Transferable…
