postMessage spoofing
Send forged messages to the parent page and check whether origin validation is missing.
Behavior by sandbox policy
| Policy | Expected result |
|---|---|
| No sandbox | works |
sandbox="allow-scripts" | works |
sandbox="" (strictest) | blocked |
Embed snippet
This snippet uses the dedicated embed page. Paste it into your own service and check rendering or blocking behavior.
<iframe src="https://xss-playground.com/embed/post-message?lang=en" title="XSS Playground - postMessage spoofing" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Run
target origin
// no logs
Explanation
- postMessage is the intended cross-origin channel. SOP does not block it, so the parent must validate event.origin.
- If the parent uses message listeners for a payment widget, iframe-resizer, the YouTube IFrame API, and similar integrations, mimicking that format becomes an attack surface.
- Defense is
event.originvalidation plus message type/schema validation. In sandbox, onlysandbox=""blocks postMessage itself.