no-message-event-without-origin-check
Disallow receiving message events and consuming event.data without checking
event.origin.
Targeted pattern scopeโ
This rule targets inline addEventListener("message", ...) handlers and
onmessage = ... assignments that read message data without validating the
sender origin.
What this rule reportsโ
This rule reports message event callbacks that:
- read
event.data, or - destructure
{ data }from the message event,
without an observable origin validation step.
Why this rule existsโ
Cross-document messaging is only safe when the receiver validates where the
message came from. Reading message payloads without checking event.origin can
trust attacker-controlled input from another window, frame, or worker.
โ Incorrectโ
window.addEventListener("message", (event) => {
consume(event.data);
});
โ Correctโ
window.addEventListener("message", (event) => {
if (event.origin !== "https://example.com") {
return;
}
consume(event.data);
});
Behavior and migration notesโ
This rule intentionally does not autofix or insert stub origin checks because the correct allowlist depends on your deployment model.
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-message-event-without-origin-check": "error",
},
},
];
When not to use itโ
Disable only for message handlers that never process untrusted cross-origin messages and already rely on a reviewed trust boundary this rule cannot see.
Package documentationโ
Further readingโ
Rule catalog ID: R048