One of the new features of HTML5 is cross-document messaging. The feature allows scripts to post messages to other windows. The corresponding API allows the user to specify the origin of the target window. However, caution should be taken when specifying the target origin because an overly permissive target origin will allow a malicious script to communicate with the victim window in an inappropriate way, leading to spoofing, data theft, relay, and other attacks.

Example 1: The following example uses a wildcard to programmatically specify the target origin of the message to be sent.

    WebMessage message = new WebMessage(WEBVIEW_MESSAGE);
    webview.postWebMessage(message, Uri.parse("*"));

Using the * as the value of the target origin indicates that the script is sending a message to a window regardless of its origin.

Browsers do not send the referrer header by default with requests originated from HTTPS to unencrypted HTTP links. However, when a request destination is also HTTPS, the header is sent regardless of the origin. A developer might leave sensitive information in URLs, which are exposed to third-party sites via the referrer header. The Referrer-Policy header is introduced to control browser behavior related to the referrer header. The Unsafe-URL option removes all restrictions and sends the referrer header with every request.

Example: The following code configures a Spring Security protected application to disable the default secure the referrer policy:

	<http auto-config="true">
        ...
        <headers>
            ...
            <referrer-policy policy="unsafe-url"/>
        </headers>
	</http>

Content Security Policy (CSP) is a declarative security header that enables developers to dictate which domains the site is allowed to load content from or initiate connections to when rendered in the web browser. It provides an additional layer of security from critical vulnerabilities such as cross-site scripting, clickjacking, cross-origin access and the like, on top of input validation and checking an allow list in code.

The Content-Security-Policy-Report-Only header provides the capability for web application authors and administrators to monitor security policies, rather than enforce them. This header is typically used when experimenting and/or developing security policies for a site. When a policy is deemed effective, you can be enforce it by using the Content-Security-Policy header field instead.

Example 1: The following code sets a Content Security Policy in Report-Only mode:

	<http auto-config="true">
        ...
        <headers>
            ...
            <content-security-policy report-only="true" policy-directives="default-src https://content.cdn.example.com" />
        </headers>
    </http>

Keyboard extensions are allowed to read every single keystroke that a user enters. Third-party keyboards are normally used to ease the text input or to add additional emojis and they may log what the user enters or even send it to a remote server for processing. Malicious keyboards can also be distributed to act as a keylogger and read every key entered by the user in order to steal sensitive data such as credentials or credit card numbers.

The extension receives data from the host app in its view controller and fails to implement the SLComposeServiceViewController isContentValid to validate the untrusted data received before using it.

Example 1: The following extension view controller receives data from the host app but fails to implement a callback method to validate it:

    #import <MobileCoreServices/MobileCoreServices.h>

    @interface ShareViewController : SLComposeServiceViewController
        ...
    @end

    @interface ShareViewController ()
        ...
    @end

    @implementation ShareViewController

    - (void)didSelectPost {
        NSExtensionItem *item = self.extensionContext.inputItems.firstObject;
        NSItemProvider *itemProvider = item.attachments.firstObject;
        ...
        // Use the received items
        ...
        [self.extensionContext completeRequestReturningItems:@[] completionHandler:nil];
    }

    ...

    @end

When a third party application or webview uses a URL to communicate with your application, the receiving application should verify that the sender matches an allow list of applications that are expected to communicate with it. The receiving application has the option to verify the origin of the calling URL using the UIApplicationDelegate application:openURL:options: or UIApplicationDelegate application:openURL:sourceApplication:annotation: delegate methods.

Example 1: The following implementation of the UIApplicationDelegate application:openURL:options: delegate method fails to verify the sender of the IPC call and just processes the calling URL:

    - (BOOL)application:(UIApplication *)app openURL:(NSURL *)url options:(NSDictionary<NSString *,id> *)options {
        NSString *theQuery = [[url query] stringByRemovingPercentEncoding:NSUTF8StringEncoding];
        NSArray *chunks = [theQuery componentsSeparatedByString:@"&"];
        for (NSString* chunk in chunks) {
            NSArray *keyval = [chunk componentsSeparatedByString:@"="]; NSString *key = [keyval objectAtIndex:0];
            NSString *value = [keyval objectAtIndex:1];
            // Do something with your key and value
        }
        return YES;
    }

When a third party application or webview uses a URL to communicate with your application, the receiving application should validate the calling URL before proceeding with further actions. The receiving application has the option to verify that it wants to open the calling URL using the UIApplicationDelegate application:didFinishLaunchingWithOptions: or UIApplicationDelegate application:willFinishLaunchingWithOptions: delegate methods.

Example 1: The following implementation of the UIApplicationDelegate application:didFinishLaunchingWithOptions: delegate method fails to validate the calling URL and always processes the untrusted URL:

    - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NS Dictionary *)launchOptions {
        return YES;
    }