I would like to create a secure postMessage connection (origin safe), with an Iframe that is created at runtime.
Current state:
I have a script, that generates an iframe with a specific domain (domain.b.com
in the example below). I want that iframe to receive messages only from the parent domain (the page that included my script). Since the parent domain is unknown at runtime, I'm thinking of a "Handshake" process as described and illustrated below:
Edit: More Info:
Example 1:
Example 2:
Is that the right way to implement it?
Security-Reviewing Uses of postMessage()postMessage is generally considered very secure as long as the programmer is careful to check the origin and source of an arriving message. Acting on a message without verifying its source opens a vector for cross-site scripting attacks.
PostMessage() is a global method that safely enables cross-origin communication. It's a lot like Ajax but with cross-domain capability. We'll give it a whirl by setting up two-way communication between a web page and an iframe whose content resides on another server.
SendMessage: Sends a message and waits until the procedure which is responsible for the message finishes and returns. PostMessage: Sends a message to the message queue and returns immediately.
As mentioned here, you should not expect the parent's origin to be sent to you in postMessage
's parameter. Instead:
If you do expect to receive messages from other sites, always verify the sender's identity using the origin and possibly source properties. Any window (including, for example, http://evil.example.com) can send a message to any other window, and you have no guarantees that an unknown sender will not send malicious messages. Having verified identity, however, you still should always verify the syntax of the received message. Otherwise, a security hole in the site you trusted to send only trusted messages could then open a cross-site scripting hole in your site.
And once you have the main frame's URI in your iframe, you can verify its authorization with a simple AJAX call to the server. In my point of view, a server call is inevitable and one way or another you will make such a call.
There are other ways to know who is including your iframe but they are not relying on postMessage
. For instance if you are using PHP, you can check $_SERVER['HTTP_REFERER']
to see who is requesting your iframe even before it is sent to the browser. Yet there are ways to referrer spoofing as well.
If your application requires a solid bullet proof solution then server to server communication is your way. In this scenario, each client of yours has a username and password and the web server who is going to serve the main page should ask for a one time pass token from the web server who is serving the iframe (this is a server to server communication). And then use the token in the iframe's URL to be sent back to the server generated it. Here's a step by step of this scenario:
End user asks for the URL http://customer.com/main.php
.
While main.php
is executing and populating the response, it also
connects to
http://you_website.com/generate_token.php?username=cutomer1&password=123
and gets a one time pass token token1
.
The response is returned to the browser containing an iframe with URL http://your_website.com/iframe.php?token=token1
.
In iframe.php
you verify the token1
to see if it is valid, and
, at the same time, you are authenticating the requester without actually asking
for his username and/or password (since you know who you have
generated the token for).
Such tokens are usually deleted once used (one time pass) and they also usually come with an expiration data. But that's up to you and your application.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With