Unchecked origin in message handler detected.

Description

Applications should check the origin of message events. Handling messages from untrusted origins could lead to Cross-Site Scripting (XSS) attacks.

Remediations

❌ Avoid handling messages from any origin:

window.addEventListener('message', (event) => {
actOnMessage(event.data)
})

✅ Validate the origin:

window.addEventListener('message', (event) => {
if (event.origin != 'https://myapp.example.com') {
throw new Error('invalid origin')
}

actOnMessage(event.data)
})

Resources

Associated CWE

OWASP Top 10

Ready to take the next step? Join the Bearer Cloud waitlist.