The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites

The postMessage mechanism in HTML5 enables Web content from different origins to communicate with each other, thus relaxing the same origin policy. It is especially popular in websites that include third-party content. Each message contains accurate information about its origin, but the receiver must check this information before accepting the message. The responsibility for preventing cross-origin attacks is thus partially delegated from the Web browser to the implementors of postMessage receiver functions. We collected postMessage receivers from the Alexa top 10,000 websites and found that many perform origin checks incorrectly or not at all. This results in exploitable vulnerabilities in 84 popular sites, including cross-site scripting and injection of arbitrary content into local storage. We propose two defenses. The first uses pseudo-random tokens to authenticate the source of messages and is intended for the implementors of third-party content. The second, based on a Content Security Policy extension, is intended for website owners. The two defenses are independent and can be deployed jointly or separately.