PeerJS
Replies: 2 comments
-
|
Hi, Is there a way I can use to fix/mute this warning in snyk please? |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Snyk seems to confuse a PeerJS data channel with a multi-window message exchange. This is definitely a false positive.
There’s probably a way to mute that in Snyk directly, but you can also just replace
`.addEventListener("message",...)` with `.on("message", ...)`
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Insufficient postMessage Validation
The origin of the received message is not checked. This means any site (even malicious) can send message to this window. If you don't expect this, consider checking the origin of sender.
peerjs.js (line : 4232)Fix Analysis
Details
postMessage is a feature to perform cross-origin communication between JavaScript Window objects. This can be done by:
The sender using the
targetWindow.postMessage(message, targetOrigin)to send a message to thetargetWindowbut only if the origin in that window matchestargetOrigin(or if targetOrigin is set to the special value*);The receiver listening for the message event in the window object.
However, if no validation is done by the receiver, this could allow any window to send arbitrary data to the handler. This vulnerability could be leveraged by an attacker to disclose sensitive data to a malicious origin, or perform actions on a vicitim's behalf.
Example:
Best practices for prevention
*.Example:
References
Introduction to postMessage() Vulnerabilities
Beta Was this translation helpful? Give feedback.
All reactions