This is my first foray into using postMessage. Want to make sure the communication between the child iframe and the parent is secure.
Per this page: https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
"If you do expect to receive messages from other sites, always verify the sender's identity using the origin and possibly source properties. Any window (including, for example, http://evil.example.com) can send a message to any other window, and you have no guarantees that an unknown sender will not send malicious messages. Having verified identity, however, you still should always verify the syntax of the received message. Otherwise, a security hole in the site you trusted to send only trusted messages could then open a cross-site scripting hole in your site."
Here is what the parent's message listening function looks like:
uri = 'https://www.somedomain.com/';
window.addEventListener("message", function(event) {
if (event.origin !== uri.base.slice(0, -1)) return;
if (event.source.location.origin !== uri.base.slice(0, -1)) return;
if (event.source.location.origin !== window.location.origin) return;
console.log(event.data);
});
The child iframe's postMessage call:
uri = 'https://www.somedomain.com/';
eventData = {'type':'sometype','action':'someaction','id':'q12wucxdfgbvgfcvt'};
parent.postMessage(eventData, uri.slice(0, -1));
Are the checks in the listening function enough? Or too many?
Thanks
