Unchecked origin in message handler detected.

Rule ID: javascript_lang_message_handler_origin
Languages: javascript
Source: message_handler_origin.yml

Description

Applications should check the origin of message events. Handling messages from untrusted origins could lead to Cross-Site Scripting (XSS) attacks.

Remediations

❌ Avoid handling messages from any origin:

window.addEventListener('message', (event) => {
  actOnMessage(event.data)
})

✅ Validate the origin:

window.addEventListener('message', (event) => {
  if (event.origin != 'https://myapp.example.com') {
    throw new Error('invalid origin')
  }

  actOnMessage(event.data)
})

Resources

OWASP Cross-Site Scripting (XSS) Cheatsheet

Associated CWE

CWE-346: Origin Validation Error

OWASP Top 10

A07:2021 - Identification and Authentication Failures

Ready to take the next step? Join the Bearer Cloud waitlist.