'message' listener without origin check
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
A window addEventListener('message', ...) handler exists in a file that never reads event.origin, so it may act on messages from any frame. Heuristic.
Why it matters
A window 'message' listener that never reads event.origin acts on messages from any frame or window, including a malicious one. An attacker page that can post to your window can then drive whatever the handler does with the message data. This is a heuristic: the rule flags files that register a message listener but contain no event.origin check anywhere.
How to fix it
At the top of the handler, check event.origin against an allowlist of expected origins and return early if it does not match. Also validate event.source where relevant and treat event.data as untrusted input (validate its shape before use). Keep the allowlist in configuration.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo