Missing origin check in message handler

Rule ID: javascript_lang_message_handler_origin
Languages: javascript
Source: message_handler_origin.yml

Description

Failing to verify the origin of message events can expose your application to Cross-Site Scripting (XSS) attacks. This vulnerability arises when an application processes messages without confirming if they come from a trusted source.

Remediations

Do not add message event listeners without checking the origin of the messages. This approach leaves your application vulnerable to malicious inputs.
```
window.addEventListener('message', (event) => {
  actOnMessage(event.data) // unsafe
})
```
Do validate the origin of incoming messages before processing them. Ensure that the message comes from a trusted source by comparing the event's origin with a predefined list of allowed origins.
```
window.addEventListener('message', (event) => {
  if (event.origin != 'https://myapp.example.com') {
    throw new Error('invalid origin')
  }

  actOnMessage(event.data)
})
```

References

OWASP Cross-Site Scripting (XSS) Cheatsheet

Associated CWE

CWE-346: Origin Validation Error

OWASP Top 10

A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_message_handler_origin

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_message_handler_origin