Missing origin check in message handler

• Rule ID: javascript_lang_message_handler_origin
• Languages: javascript
• Source: message_handler_origin.yml

Description

Applications should check the origin of message events. Handling messages from untrusted origins could lead to Cross-Site Scripting (XSS) attacks.

Remediations

❌ Avoid handling messages from any origin:

window.addEventListener('message', (event) => {
  actOnMessage(event.data)
})

✅ Validate the origin:

window.addEventListener('message', (event) => {
  if (event.origin != 'https://myapp.example.com') {
    throw new Error('invalid origin')
  }

  actOnMessage(event.data)
})

Resources

• OWASP Cross-Site Scripting (XSS) Cheatsheet

Associated CWE

• CWE-346: Origin Validation Error

OWASP Top 10

• A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_message_handler_origin

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_message_handler_origin