Will It Vibe logoWill It Vibe?
WEBSEC-012Medium severity-8 points

postMessage with a wildcard target origin

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

postMessage is called with '*' as the target origin, so the message is delivered to whatever document occupies the frame, including a malicious one.

Why it matters

postMessage with '*' as the target origin sends the message to whatever document is in the target frame at that moment, not necessarily the one you intended. If a different or malicious page has been navigated into the frame, it receives your payload, which can leak tokens or user data. The wildcard removes the only origin check the API offers on the sending side.

How to fix it

Pass the exact expected origin as the second argument to postMessage instead of '*'. Use a known constant such as the embedded app origin, and keep it in configuration rather than hardcoding wildcards. On the receiving side, verify event.origin before acting on the message.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks