Missing origin check in message handler

Description

Applications should check the origin of message events. Handling messages from untrusted origins could lead to Cross-Site Scripting (XSS) attacks.

Remediations

❌ Avoid handling messages from any origin:

window.addEventListener('message', (event) => {
actOnMessage(event.data)
})

✅ Validate the origin:

window.addEventListener('message', (event) => {
if (event.origin != 'https://myapp.example.com') {
throw new Error('invalid origin')
}

actOnMessage(event.data)
})

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_message_handler_origin

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_message_handler_origin

Ready to take the next step? Learn more about Bearer Cloud.