The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites
Author(s): Sooel Son and Vitaly Shmatikov
Download: Paper (PDF)
Date: 23 Apr 2013
Document Type: Presentations
Additional Documents: Slides
Associated Event: NDSS Symposium 2013
The postMessage facility in HTML5 enables communication between web content from different origins. We analyze postMessage receivers used in Alexa top 10,000 sites and demonstrate that many of them perform origin checks incorrectly. This leads to multiple vulnerabilities, from cross-site scripting to injection of arbitrary content into localStorage. We then propose several patterns for safe usage of postMessage.