wisec
commented
7 years ago the message from a postMessage is always tainted so half of your request is already alive and kicking. About setting window.postMessage as sink is a bit more complicated but is on schedule to find a solution for that. Thanks,
I'm not sure if BCDetect is currently able to or not (i've certainly never seen it detect anything in this way), but it would be really useful to know when controllable sources end up in a
window.postMessage(), or when controllable data comes back as part of amessageevent.This would assist is narrowing down times when misconfigured origin checking leads to exploitable cross-domain situations.