Using postMessage() in JavaScript with iframes for cross domain communication

Multi tool use
Multi tool use

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
0
down vote

favorite












I am trying to enable communication via JavaScript from an iframe and its parent window when they are on different domains. I did a lot of research and it turned out that postMessage() is a good approach if used correctly. I have read the vast resources about how to use it to make sure it’s implemented in a secure way and came up with the code. However, as I am still new to coding, I am paranoiac about XSS vulnerabilities and this code looks too simple to me to be fully secure. I would appreciate if someone can review it.



Context:



  • The message must be sent from the iframe to the parent window only

  • The iframe is HTTPS, while the parent is HTTP

  • The message doesn’t contain sensitive data – it’s just a simple indicator for the parent window to do trigger a google tag manager custom event

  • Parent window domain in the example is: http://my-main-web.com

  • Iframe domain in the example is: https://my-iframe-web.com

Questions:



  • Is the code exposed to security risks?

  • Are there other risks apart that the attacker might find out the message content is 'download'? For example, can meticulous code be injected through the message?

Sender (iframe):



<script type="text/javascript">
 parent.postMessage("download occurred", "http://my-main-web.com");
</script>


Receiver (parent window):



<script type="text/javascript">
 function receiveMessage(event) ;

 window.addEventListener("message", receiveMessage, false);
</script>



javascript security event-handling




share|improve this question



























    up vote
    0
    down vote

    favorite












    I am trying to enable communication via JavaScript from an iframe and its parent window when they are on different domains. I did a lot of research and it turned out that postMessage() is a good approach if used correctly. I have read the vast resources about how to use it to make sure it’s implemented in a secure way and came up with the code. However, as I am still new to coding, I am paranoiac about XSS vulnerabilities and this code looks too simple to me to be fully secure. I would appreciate if someone can review it.



    Context:



    • The message must be sent from the iframe to the parent window only

    • The iframe is HTTPS, while the parent is HTTP

    • The message doesn’t contain sensitive data – it’s just a simple indicator for the parent window to do trigger a google tag manager custom event

    • Parent window domain in the example is: http://my-main-web.com

    • Iframe domain in the example is: https://my-iframe-web.com

    Questions:



    • Is the code exposed to security risks?

    • Are there other risks apart that the attacker might find out the message content is 'download'? For example, can meticulous code be injected through the message?

    Sender (iframe):



    <script type="text/javascript">
     parent.postMessage("download occurred", "http://my-main-web.com");
    </script>


    Receiver (parent window):



    <script type="text/javascript">
     function receiveMessage(event) ;

     window.addEventListener("message", receiveMessage, false);
    </script>



    javascript security event-handling




    share|improve this question























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I am trying to enable communication via JavaScript from an iframe and its parent window when they are on different domains. I did a lot of research and it turned out that postMessage() is a good approach if used correctly. I have read the vast resources about how to use it to make sure it’s implemented in a secure way and came up with the code. However, as I am still new to coding, I am paranoiac about XSS vulnerabilities and this code looks too simple to me to be fully secure. I would appreciate if someone can review it.



      Context:



      • The message must be sent from the iframe to the parent window only

      • The iframe is HTTPS, while the parent is HTTP

      • The message doesn’t contain sensitive data – it’s just a simple indicator for the parent window to do trigger a google tag manager custom event

      • Parent window domain in the example is: http://my-main-web.com

      • Iframe domain in the example is: https://my-iframe-web.com

      Questions:



      • Is the code exposed to security risks?

      • Are there other risks apart that the attacker might find out the message content is 'download'? For example, can meticulous code be injected through the message?

      Sender (iframe):



      <script type="text/javascript">
       parent.postMessage("download occurred", "http://my-main-web.com");
      </script>


      Receiver (parent window):



      <script type="text/javascript">
       function receiveMessage(event) ;

       window.addEventListener("message", receiveMessage, false);
      </script>



      javascript security event-handling




      share|improve this question













      I am trying to enable communication via JavaScript from an iframe and its parent window when they are on different domains. I did a lot of research and it turned out that postMessage() is a good approach if used correctly. I have read the vast resources about how to use it to make sure it’s implemented in a secure way and came up with the code. However, as I am still new to coding, I am paranoiac about XSS vulnerabilities and this code looks too simple to me to be fully secure. I would appreciate if someone can review it.



      Context:



      • The message must be sent from the iframe to the parent window only

      • The iframe is HTTPS, while the parent is HTTP

      • The message doesn’t contain sensitive data – it’s just a simple indicator for the parent window to do trigger a google tag manager custom event

      • Parent window domain in the example is: http://my-main-web.com

      • Iframe domain in the example is: https://my-iframe-web.com

      Questions:



      • Is the code exposed to security risks?

      • Are there other risks apart that the attacker might find out the message content is 'download'? For example, can meticulous code be injected through the message?

      Sender (iframe):



      <script type="text/javascript">
       parent.postMessage("download occurred", "http://my-main-web.com");
      </script>


      Receiver (parent window):



      <script type="text/javascript">
       function receiveMessage(event) ;

       window.addEventListener("message", receiveMessage, false);
      </script>




      javascript security event-handling





      share|improve this question












      share|improve this question




      share|improve this question








      edited Jul 10 at 19:35









      Jamal♦

      30.1k11114225




      30.1k11114225









      asked Jul 10 at 18:50









      Mihai Plavitu

      11




      11

























          active

          oldest

          votes











          Your Answer




          StackExchange.ifUsing("editor", function ()
          return StackExchange.using("mathjaxEditing", function ()
          StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
          StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
          );
          );
          , "mathjax-editing");

          StackExchange.ifUsing("editor", function ()
          StackExchange.using("externalEditor", function ()
          StackExchange.using("snippets", function ()
          StackExchange.snippets.init();
          );
          );
          , "code-snippets");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "196"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );








           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f198238%2fusing-postmessage-in-javascript-with-iframes-for-cross-domain-communication%23new-answer', 'question_page');

          );

          Post as a guest






















          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes










           

          draft saved


          draft discarded


























           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f198238%2fusing-postmessage-in-javascript-with-iframes-for-cross-domain-communication%23new-answer', 'question_page');

          );

          Post as a guest
































































          Ry5ElljwgdeEFU 4L,VLC,oI5WaF p2ryZBBLsG9wSPP KvJnbt
          -
          fLKPvcq2,Y1ycb o,5bu j0TRMC 8j9d WdsgG

          Popular posts from this blog

          Chat program with C++ and SFML

          Image
          Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 2 down vote favorite This is my client code: (My server is very similar at the moment but I will upload it below this one just in case somebody wants to run it) #include <SFML/Graphics.hpp> #include <SFML/Network.hpp> #include <thread> int main() sf::RenderWindow main_win(sf::VideoMode(800, 800), "Chatcy!"); main_win.setPosition(sf::Vector2i(sf::VideoMode::getDesktopMode().width/2 -400, sf::VideoMode::getDesktopMode().height/2 -400)); main_win.setVerticalSyncEnabled(true); //chatcy logo sf::Texture chatcy; chatcy.loadFromFile("image_chatcy.png"); sf::Sprite logo; logo.setTexture(chatcy); //200x800 //font sf::Font font; font.loadFromFile("FreeSerif.ttf"); //name sf::String name("Client"); name += ": "; //text input area and background sf::RectangleShape in_backg...
          Read more

          Function to Return a JSON Like Objects Using VBA Collections and Arrays

          Image
          Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 1 down vote favorite My goal is to create a compact function that can create a JSON Like object from JSON string. I want a function with a small footprint that I or anyone who wants to use it, can simply paste into a module and use. At 61 lines of code, I am happy with its size and portability. Here is an image of JSON Object created from string data using a ScriptControl . Although the Locals Window displays the properties and values correctly, the object itself is extremely difficult to work with. This image shows an object created using getJSONCollection . Because it is made of VBA Collections and Arrays, it is very easy to work with. Option Explicit Private Function getJSONCollection(ByVal Value As Variant, Optional ScriptEngine As Object) As Variant Const DELIMITER As String = "||" Dim col As Collection, JSON As Object, KeyNam...
          Read more

          ADO Stream Object

          googletag.cmd.push(function() { googletag.display('div-gpt-ad-1422003450156-2'); }); ADO Stream Object ❮ Previous Next ❯ Stream Object (ADO version 2.5) The ADO Stream Object is used to read, write, and manage a stream of binary data or text. A Stream object can be obtained in three ways: From a URL pointing to a document, a folder, or a Record object By instantiating a Stream object to store data for your application By opening the default Stream object associated with a Record object Syntax objectname.property objectname.method Properties Property Description CharSet Sets or returns a value that specifies into which character set the contents are to be translated. This property is only used with text Stream objects (type is adTypeText) EOS Returns whether the current position is at the end of the stream or not LineSeparator Sets or returns the line separator character used ...
          Read more