The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites

Author(s): Sooel Son and Vitaly Shmatikov

Download: Paper (PDF)

Date: 23 Apr 2013

Document Type: Presentations

Additional Documents: Slides

Associated Event: NDSS Symposium 2013

Abstract:

The postMessage facility in HTML5 enables communication between web content from different origins.  We analyze postMessage receivers used in Alexa top 10,000 sites and demonstrate that many of them perform origin checks incorrectly.  This leads to multiple vulnerabilities, from cross-site scripting to injection of arbitrary content into localStorage. We then propose several patterns for safe usage of postMessage.