Advertisement
728x90
Since the listener listens for any message, an attacker can trick the application by sending a message from the attacker’s origin, which gives an impression that the receiver received the message from the actual sender’s window. You can avoid this issue by validating the origin of the message on the receiver's end using the “message.origin” attribute.
For example, let's check the sender's origin http://www.some-sender.com on receiver side www.some-receiver.com,
javascript
1//Listener on http://www.some-receiver.com/
2
3window.addEventListener("message", function(message){
4 if(/^http://www\.some-sender\.com$/.test(message.origin)){
5 console.log('You received the data from valid sender', message.data);
6 }
7});Advertisement
Responsive Ad
🎯 Practice NowRelated Challenge
JavaScript Coding Exercise 71
Test your knowledge with this interactive coding challenge.
Start CodingAdvertisement
728x90
328of476