DP-41580-a11y-fix-editor-high-zoom#3105
Conversation
| if (role !== "button" && systemPath && systemPath.trim() !== "") { | ||
| closeToolbarTray(); | ||
| } | ||
| }, true); |
There was a problem hiding this comment.
Insecure communication using postMessage and event listeners
File: toolbar-zoom-override.js | Checkov ID: CKV3_SAST_74
How To Fix
const trustedOrigin = 'https://trusted.com';
window.contentWindow.postMessage(data, trustedOrigin);
window.addEventListener('message', function(event) {
if (event.origin !== trustedOrigin) return;
// Process event.data after verifying event.origin
}, false);
Description
CWE: CWE-345: Insufficient Verification of Data Authenticity
OWASP: A01:2021-Broken Access Control
CWE-345: Insufficient Verification of Data AuthenticityOWASP:
A01:2021-Broken Access ControlIn web applications, the postMessage method and the addEventListener for message events are used to facilitate cross-origin communication. When misconfigured, these can lead to security vulnerabilities such as data leakage or unauthorized actions.
One common vulnerability arises when using the wildcard origin (*) with the postMessage method. This allows any website to receive the message, potentially leading to sensitive information being exposed.
Similarly, not verifying the origin of the message in an addEventListener handler can lead to processing messages from malicious sources.
For example, vulnerable code might look like:
javascript
window.contentWindow.postMessage(data, '*');
window.addEventListener('message', function(event) {
// Process event.data without verifying event.origin
}, false);
No description provided.