hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Updated qhelp with a third example

Browse Source
This commit is contained in:
ubuntu
2020-06-10 23:09:35 +02:00
parent 92f9f320f9
commit cf3142e083
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
javascript/ql/src/experimental/Security/CWE-020/PostMessageNoOriginCheck.qhelp
View File

@@ -21,8 +21,11 @@ Always verify the sender's identity of incoming messages.
<p>In the first example, the `MessageEvent.data` is passed to the `eval` function withouth checking the origin. This means that any window can send arbitrary messages that will be executed in the window receiving the message</p>
<sample src="examples/postMessageNoOriginCheck.js" />
<p> In the second example, the `MessageEvent.origin` is checked against a trusted origin.
<sample src="examples/postMessageWithOriginCheck.js" />
<p> In the second example, the `MessageEvent.origin` is verified with an unsecure check. For example, using `event.origin.indexOf('www.example.com') > -1` can be baypassed because the string `www.example.com` could appear anywhere in `event.origin` (i.e. `www.example.com.mydomain.com`)
<sample src="examples/postMessageWithInsufficientCheck.js" />
<p> In the third example, the `MessageEvent.origin` is properly checked against a trusted origin.
<sample src="examples/postMessageWithInsufficientCheck.js" />
</example>