Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>As mentioned <a href="https://developer.mozilla.org/en-US/docs/Web/API/window.postMessage#Security_concerns" rel="nofollow">here</a>, you should not expect the parent's origin to be sent to you in <code>postMessage</code>'s parameter. Instead:</p> <blockquote> <p>If you do expect to receive messages from other sites, always verify the sender's identity using the <strong>origin</strong> and possibly <strong>source</strong> properties. Any window (including, for example, <a href="http://evil.example.com" rel="nofollow">http://evil.example.com</a>) can send a message to any other window, and you have no guarantees that an unknown sender will not send malicious messages. Having verified identity, however, you still should always verify the syntax of the received message. Otherwise, a security hole in the site you trusted to send only trusted messages could then open a cross-site scripting hole in your site.</p> </blockquote> <p>And once you have the main frame's URI in your iframe, you can verify its authorization with a simple AJAX call to the server. In my point of view, a server call is inevitable and one way or another you will make such a call.</p> <p>There are other ways to know who is including your iframe but they are not relying on <code>postMessage</code>. For instance if you are using PHP, you can check <code>$_SERVER['HTTP_REFERER']</code> to see who is requesting your iframe even before it is sent to the browser. Yet there are ways to <a href="http://en.wikipedia.org/wiki/Referer_spoofing" rel="nofollow">referrer spoofing</a> as well.</p> <p>If your application requires a solid bullet proof solution then server to server communication is your way. In this scenario, each client of yours has a username and password and the web server who is going to serve the main page should ask for a one time pass token from the web server who is serving the iframe (this is a server to server communication). And then use the token in the iframe's URL to be sent back to the server generated it. Here's a step by step of this scenario:</p> <ol> <li><p>End user asks for the URL <code>http://customer.com/main.php</code>.</p></li> <li><p>While <code>main.php</code> is executing and populating the response, it also connects to <code>http://you_website.com/generate_token.php?username=cutomer1&amp;password=123</code> and gets a one time pass token <code>token1</code>.</p></li> <li><p>The response is returned to the browser containing an iframe with URL <code>http://your_website.com/iframe.php?token=token1</code>.</p></li> <li><p>In <code>iframe.php</code> you verify the <code>token1</code> to see if it is valid, and , at the same time, you are authenticating the requester without actually asking for his username and/or password (since you know who you have generated the token for).</p></li> </ol> <p>Such tokens are usually deleted once used (one time pass) and they also usually come with an expiration data. But that's up to you and your application.</p>
    singulars
    1. This table or related slice is empty.
    1. POJS - How to securely use window.postMessage when the sender domain is unknown
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USMehran
    1. USMehran
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POJS - How to securely use window.postMessage when the sender domain is unknown
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTBountyClose
    1. COThat is exactly my question, how can you verify the sender identity if the sender is different for each site that included the script?
      singulars
      1. PO
      1. USShlomi Schwartz
    2. COI'm not sure if I understand your question correctly! Once you have an incoming event on your message event handler, you also have its sender's `URI` which is given to you by browser so you can always be sure that it is the truth. And now that you have the sender's `URI` you can check it with any trust worthy source you might have to test and see if the origin is within your white list or not. Let me know if I'm misunderstood.
      singulars
      1. PO
      1. USMehran
    3. COI want to avoid white listing ... instead I'm thinking of something like a token, but since it is only client side, I'm not sure that is the solution. Your thought?
      singulars
      1. PO
      1. USShlomi Schwartz
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload