Skip to content

[SAST][Medium] Permissive Cross-domain Policy #1401

New issue
New issue
Open
Open
[SAST][Medium] Permissive Cross-domain Policy#1401
@alan-null

Description

@alan-null
alan-null
opened on Nov 28, 2025

Not a regression

ace.js

Console/src/Spe/sitecore modules/PowerShell/Scripts/ace/ace.js

Line 1748 in 248a7bc

win.postMessage(messageName, "*");

Location:

Path: Sitecore.PowerShell.Extensions-8.0-Beta-2-IAR/files/sitecore%20modules/PowerShell/Scripts/ace/ace.js, line 1748
Path: Sitecore.PowerShell.Extensions-8.0-Beta-2.scwdp/Content/Website/sitecore%20modules/PowerShell/Scripts/ace/ace.js, line 1748
Path: Sitecore.PowerShell.Extensions-8.0-Beta-2-IAR.scwdp/Content/Website/sitecore%20modules/PowerShell/Scripts/ace/ace.js, line 1748
Path: Sitecore.PowerShell.Extensions-8.0-Beta-2/files/sitecore%20modules/PowerShell/Scripts/ace/ace.js, line 1748

Proof:

Image

Info: Setting targetOrigin to "*" in postMessage may enable malicious parties to intercept the message. Consider using an exact target origin instead.

Resolution

Code is using  win.postMessage(messageName, "*");

❌ vulnerable

otherWindow.postMessage({ type: 'PAYLOAD', data }, "*");

✅ safe — compute and pin the exact origin

const targetUrl = new URL("https://app.partner.example:443/embed");
const targetOrigin = targetUrl.origin; // "https://app.partner.example"
otherWindow.postMessage({ type: 'PAYLOAD', data }, targetOrigin);
  • Replace every postMessage(..., "*") with a specific origin.
  • Derive TARGET_ORIGIN from a known URL (never from untrusted input).
  • Prefer structured objects ({type: "...", ...}) over raw strings.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions