Console
Console copied to clipboard
SitecorePowerShell
[SAST][Medium] Permissive Cross-domain Policy
Not a regression
ace.js https://github.com/SitecorePowerShell/Console/blob/248a7bc4e34c9a50e3709130408c62a90bc39e6c/src/Spe/sitecore%20modules/PowerShell/Scripts/ace/ace.js#L1748
Location:
Path: Sitecore.PowerShell.Extensions-8.0-Beta-2-IAR/files/sitecore%20modules/PowerShell/Scripts/ace/ace.js, line 1748
Path: Sitecore.PowerShell.Extensions-8.0-Beta-2.scwdp/Content/Website/sitecore%20modules/PowerShell/Scripts/ace/ace.js, line 1748
Path: Sitecore.PowerShell.Extensions-8.0-Beta-2-IAR.scwdp/Content/Website/sitecore%20modules/PowerShell/Scripts/ace/ace.js, line 1748
Path: Sitecore.PowerShell.Extensions-8.0-Beta-2/files/sitecore%20modules/PowerShell/Scripts/ace/ace.js, line 1748
Proof:
Info: Setting targetOrigin to "*" in postMessage may enable malicious parties to intercept the message. Consider using an exact target origin instead.
Resolution:
Code is using win.postMessage(messageName, "*");
❌ vulnerable
otherWindow.postMessage({ type: 'PAYLOAD', data }, "*");
✅ safe — compute and pin the exact origin
const targetUrl = new URL("https://app.partner.example:443/embed");
const targetOrigin = targetUrl.origin; // "https://app.partner.example"
otherWindow.postMessage({ type: 'PAYLOAD', data }, targetOrigin);
- Replace every postMessage(..., "*") with a specific origin.
- Derive TARGET_ORIGIN from a known URL (never from untrusted input).
- Prefer structured objects ({type: "...", ...}) over raw strings.
