Being Safe and Secure with Cross-Origin Messaging

Being Safe and Secure with Cross-Origin Messaging
Mic Whitehorn
Author: Mic Whitehorn

Complex web and mobile apps often depend on cross-domain interactions between different online services, but the web browser’s security model restricts them by default via the Same-Origin Policy.  A variety of approaches have been used to address this need. JSONP solved this by using script tags to load cross-domain data, though it is more of a legacy approach.  This introduction of browser support for CORS gave us the option of loosening the same-origin policy in a controlled way, probably the most common technique for supporting cross-domain interactions today.  This post will look at another option for achieving cross-origin interactions, using the window.postMessage() method and the onMessage event. 

Because the restrictions on cross-domain interactions are core to the security model of the web browser, any solution that bypasses these restrictions will come with certain security considerations, and the onMessage event is no exception.  When implemented without the appropriate restrictions, it can be abused to expose applications to security threats like cross-site scripting and data leaks. Therefore, it's crucial for developers to use this feature wisely, ensuring communications are validated and secure.

After diving into a bit more detail on how this API works, this post will go into more detail on the associated security risks, and secure implementation practices. Additionally, we will examine its interaction with web security measures like Content-Security-Policy, aiming to provide a more complete view on securing web applications against the challenges of cross-domain messaging.

Understanding the onMessage Event

The onMessage event is a part of the HTML5 API and provides a JavaScript-centric approach to overcoming the barriers imposed by the same-origin policy, particularly for facilitating interactions between two documents from different origins that are both open in the browser.  This feature is invoked through the window.postMessage() method, which is used to send messages, with the sender explicitly targeting the recipient. The receiving end listens for these messages by attaching an event listener to the onMessage event. Developers can then extract the message data for further processing.

The basic syntax for sending a message looks something like this: 

// Reference to the iframe element

const iframe = document.getElementById('myIframe');

// Data to be sent to the iframe, for example, user settings

const message = {

  setting: 'darkMode',

  value: true


// The origin of the iframe to ensure we're sending the message to the right place

const targetOrigin = '';

// Sending a message to the iframe

iframe.contentWindow.postMessage(message, targetOrigin);

In this example the iframe is a reference to the window that will receive the message, message is the data to be sent, and targetOrigin specifies the origin for which the message is intended. 

The receiving code in the iframed document would look something like this:

// Function to handle incoming messages

function receiveMessage(event) {

  // Check the origin of the message for security purposes

  if (event.origin !== "") {

// Not the expected origin, discard the message



  // Assuming the message is from a trusted origin, process the message

  console.log('Received settings:',;

  // Perform actions based on the received message

  // For example, apply the user settings

  if ( === 'darkMode') {



  // Optionally, send a confirmation message back to the main website

  event.source.postMessage('Settings applied successfully', event.origin);


// Listen for message events

window.addEventListener('message', receiveMessage, false);


Note that in this example, we verify the origin of incoming messages on the receiving side.  This is a crucial security control, and we will expand on the reason why, in the Best Practices section below.  The onMessage event facilitates a wide range of web applications, from social media widgets to third-party APIs, enhancing the web's interconnectedness while navigating the challenges posed by cross-origin restrictions. However, its power and utility come with the responsibility to implement it securely, underscoring the importance of understanding its workings and potential security implications.

Security Concerns with onMessage

The onMessage event, while enabling sophisticated cross-domain communication, introduces notable security concerns. Its misuse or poor implementation can open up applications to vulnerabilities and potential exploits. Key areas of concern include improper origin validation, insufficient data sanitization, and the use of overly broad target origins. These issues can lead to various security risks such as cross-site scripting (XSS), data exfiltration, and phishing attacks.

Common Attack Vectors

  • Cross-Site Scripting (XSS): Attackers may use onMessage vulnerabilities to execute malicious scripts in the context of the recipient domain.  This is due to a case of misplaced trust. The recipient is written to treat the message as a trustworthy source, but, due to flaws in the implementation, it is not.
  • Data Exfiltration: Vulnerable applications could inadvertently leak sensitive information to malicious actors.
  • Phishing and Social Engineering: Compromised messaging could trick users into exposing confidential information or performing unwanted actions. This could happen in a case where untrustworthy messages are being used to populate the UI text which directs the user to take actions. It could also occur in the aforementioned data leakage case where a malicious actor receives the information to target users and create a false sense of trust by presenting data that the user perceives to be privileged.

Best Practices for Secure Implementation

To mitigate the risks associated with the onMessage event and ensure secure cross-domain communication, developers should adhere to the following best practices:

Strict Origin Validation:
  • Always validate the event.origin against a list of trusted domains before processing any message. This step is crucial to ensure that messages are received from expected sources only.
  • This is done by checking the event.origin property in the event handler. Such validation prevents malicious sites from sending harmful data. Despite its simplicity, this step is fundamental in ensuring that the communication is secure and that only messages from trusted sources are acted upon.

Data Sanitization:
  • Sanitize the content of incoming messages to prevent injection attacks. Ensure that any data used from messages is safe to incorporate into your application without executing unintended scripts or HTML.
Precise Target Origins:
  • Avoid using a wildcard (*) when specifying the target origin in postMessage calls. Always provide the exact origin to which the message should be sent to limit the exposure of sensitive information.
Secure Contexts:
  • Utilize HTTPS to protect the integrity and confidentiality of messages exchanged between origins. This practice helps prevent man-in-the-middle attacks.
Minimal Privilege Principle:
  • Only send the necessary information required for the operation. Limit the scope of the data in messages to what is absolutely needed, reducing the potential impact of a breach.
Regular Auditing and Testing:
  • Regularly review and test the implementation of postMessage communication in your applications. Automated security scanning and manual penetration testing can help identify and remediate vulnerabilities.

By implementing these practices, developers can significantly enhance the security of cross-domain messaging in their applications. It is vital to maintain an ongoing commitment to security, continuously updating and refining practices as new threats emerge and web standards evolve.

Interaction with Other Security Controls

Cross-domain messaging via the onMessage event doesn't operate in isolation but interacts with other web security mechanisms, notably Content Security Policy (CSP) and Cross-Origin Resource Sharing (CORS). Understanding how onMessage communication fits within the broader security landscape is crucial for developers aiming to build secure applications.

Content Security Policy (CSP)

CSP is a powerful tool for reducing the risk of cross-site scripting (XSS) and other code injection attacks by specifying which dynamic resources are allowed to load. When it comes to onMessage event handling, CSP can play a pivotal role in ensuring that messages are only accepted from, and sent to, trusted sources.

  • CSP and onMessage: While CSP does not directly control the postMessage function or restrict the onMessage event's ability to receive messages, it can influence related behaviors. For instance, CSP directives like frame-src can restrict which origins can embed your pages as iframes, indirectly influencing which origins might attempt to send messages.
  • Best Practices: Ensure your CSP directives are aligned with the origins you communicate with using postMessage. For more detailed guidance on configuring CSP, refer to our previous posts on Content Security Policy or the Mozilla Developer Network’s reference on the CSP.

Cross-Origin Resource Sharing (CORS)

CORS is another critical security feature that controls how web applications perform cross-origin requests. Unlike onMessage, which allows for more flexible cross-domain communication, CORS provides a mechanism for servers to control how resources are shared across domains.

  • CORS and onMessage: Although onMessage allows for message passing irrespective of CORS policies, understanding CORS is essential for developers. It sets the groundwork for secure cross-origin interactions, especially when fetching resources or invoking APIs that also participate in the messaging ecosystem. A good understanding of CORS is crucial for developers who need to make well-informed decisions about when to use cross-origin server interactions versus client-to-client message-based integrations.
  • Complementary Security: Use CORS in tandem with onMessage to ensure a comprehensive security posture. While CORS controls access to resources on your server, onMessage safeguards client-side messaging. Together, they offer a layered defense against cross-origin threats.

Integrating onMessage with CSP and CORS

Integrating onMessage functionality within the context of CSP and CORS requires a holistic approach to web security. Here's how to ensure your application remains secure while leveraging these technologies:

  • Harmonize Policies: Align your CSP and CORS configurations with the origins you expect to communicate with via postMessage. This alignment ensures consistent security policies across different aspects of your application.
  • Validate Origins: In addition to CSP and CORS configurations, explicitly validate the origin in onMessage handlers. This triple layer of validation—CSP, CORS, and onMessage origin checks—fortifies your application against unauthorized cross-origin interactions.
  • Secure Messaging Practices: Adopt secure messaging practices, such as always specifying a target origin in postMessage and validating incoming messages, as part of your overall security strategy. These practices should complement your CSP and CORS configurations, creating a robust defense against cross-origin attacks.

By understanding and integrating these security controls, developers can enhance the security of their applications against a range of web-based threats. It's essential to view onMessage communication within the broader context of web security, using CSP and CORS as complementary defenses to safeguard against unauthorized access and data breaches.


In the intricate landscape of web development, the onMessage event stands out as a critical tool for enabling secure, cross-domain communication. Its ability to facilitate interaction between different origins is indispensable in today's interconnected digital environment. However, the power of onMessage comes with significant security considerations. Developers must diligently validate origins, sanitize data, and adhere to best practices to mitigate potential vulnerabilities.Integrating the onMessage mechanism with other security controls, such as Content Security Policy (CSP) and Cross-Origin Resource Sharing (CORS), further strengthens application defenses. By aligning CSP directives with messaging policies, and understanding the complementary role of CORS, developers can create a robust security framework that encompasses both server and client-side protections.

As we've explored, secure implementation of onMessage communication is not just about preventing specific attacks but adopting a holistic security mindset. Regularly reviewing and updating security practices in response to emerging threats is essential. Security is not a one-time effort but an ongoing commitment to safeguarding user data and maintaining trust. We encourage developers to continually explore and understand the evolving security landscape, integrating the insights and practices discussed in this post. Remember, a secure application is the result of deliberate planning, implementation, and continuous improvement. For further reading and more detailed guides on related topics, refer to our posts on Implementing Content Security Policy and Understanding Cross-Origin Resource Sharing.

In conclusion, the onMessage event is a powerful feature for web applications, offering a range of possibilities for enhancing user experience through cross-domain communication. By following the guidelines and security practices outlined in this post, developers can leverage this feature to its full potential while ensuring the security and integrity of their applications.


Join the professionally evil newsletter