I'm having a hard time understanding the security issues when using a wildcard for the targetOrigin of the postMessage() method. Doesn't the window you call postMessage() on already have an origin that we are sending data to? How would someone be able to interfere with that? Would it be bad to set the targetOrigin to the window's origin using window.location.origin?
I understand the importance of checking the event origin on the receiving end (as illustrated here), but I can't seem to wrap my head around why it is bad for the sending end to use the wildcard as the targetOrigin when the window already has a specific origin.
It isn't a risk per se. It just means that anybody can embed your content in a frame and read the messages you send over the API. If the information is safe to trust anyone with, then that is fine. If it is data that should be kept private between your site, your visitor's and specific partner sites then you should be more cautious about whom you trust with the contents of the message.
Explicitly giving permission to whatever origin the request comes from is effectively the same as using '*'. You should filter on a whitelist of origins if the data needs to be kept private.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With