I am launching a pop up window using javascript. This is a security question regarding cross domain messaging between a pop up window and its parent window using javascript "postMessage()".
The html file for the pop up window resides on AWS. The parent window sits on a different domain.
So, a user visits the parent window, and on button click, the pop up window is launched from AWS. Then, the pop up window communicates with the parent window via "postMessage()".
In the parent window, I set the domain to receive messages only from this url: https://s3.amazonaws.com like so:
if(e.origin != 'https://s3.amazonaws.com') {
return;
}
If you can answer any of these questions, it would be helpful. Thank you very much. Does this mean all files from this url will be able to send messages to my parent window? Is this a security risk? Is there a way to specify that messages should only be accepted if they originate from my specific HTML file on AWS? Should I try to host the pop up html file on an internal server that is owned and maintained by my employer?
Thank you.
Yes, the message event can listen for messages from different browsing contexts. It is the prerogative and responsibility of the developer to provide adequate checks as to the origin of the message and specific values of the message which should be expected.
One option is to set the name of the opened window to a unique string, pass the name to window.opener and check if the name is equal to the unique name provided to window.open()