Microfrontends do not check origin of postMessage API events

[kwiatekus]

Description

A top level window (Console UI) is holding several nested iframes (microfrontends). Communication between components is built on top of postMessage API. In regards to postMessage API, communication is only possible between microfrontends and parent frame. Custom routing logic is implemented to provide further capabilities as required.

Risk

Message receivers, including parent frame, could accidentally process events received via postMessage API from untrusted origins. That compromises integrity. Message senders could accidentally post events to untrusted origins. This compromises confidentiality. Risk accepted on 03/Jul/18 by @gopikannappan

Suggested Mitigation

• In Luigi Core check messages received by postMessage API:

  • check if the event source is one of the iframes that was created be Luigi
  • check if the event origin matches the domain of the microfrontend as rendered or navigated to by Luigi

• In Luigi Core specify target when using the postMessage API to send messages to microfrontends:

  • set the target of the outcoming message to the domain of the microfrontend as rendered or navigated to by Luigi

This should also take care of roundtrip messages - when a microfrontend asks to provide something from Luigi Core and Luigi Core answers, the answer should go back to the same iframe and should target the same domain.

• ~Block microfrontends from same origin as consoleui (as they would have privileged access on parent frame)~ .

[stale[bot]]

This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.

[stale[bot]]

This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.