Below is an overview of our application. The user interface is sourced from a secure domain , and scripts are hosted on the same domain.
The application loads content from the client site within an IFRAME. Due to concerns about trustworthiness, as the code quality could be lower than our own, we suspect that it may contain malicious XSS vulnerabilities.
In addition, the application also loads a trusted script from our secondary domain . These scripts can call a REST API from aaa.com, requiring a security token for access. This security token is obtained by logging into the UI located at the top window on the aaa domain.
We must establish a secure communication channel to transfer the security token from a private closure in the browser window (scriptA.js) to another private closure in our script within the IFRAME (scriptB.js).
Due to the different domains involved, we need to employ the postMessage API for inter-script communication. Ideally, we aim to pass a securely encrypted message such as "Hey, I am scriptB. Please send me the token encrypted with this key (asymmetric encryption public key generated for this purpose). Let scriptA send the encrypted key so that any malicious XSS attempts to intercept will fail."
However, there is a risk that a malicious XSS attack could impersonate scriptB since it originates from the same domain and therefore may try to intercept the token response.
The main question is how we can ensure that the request message sent from scriptA to scriptB can be authenticated as coming from the script loaded from , and not from an XSS exploit originating from client.com or another domain. Alternatively, are there other secure communication methods that could be utilized to safely transfer the token from scriptA to scriptB?
Do you have any suggestions?