Skip to main content

no-postmessage-star-origin

Disallow wildcard target origins in postMessage calls.

Targeted pattern scopeโ€‹

This rule targets window.postMessage(...) style calls where the target origin argument is "*".

What this rule reportsโ€‹

This rule reports message sends that do not restrict target origin to a known trusted origin.

Why this rule existsโ€‹

Using "*" can expose sensitive messages to unintended or attacker-controlled origins.

โŒ Incorrectโ€‹

otherWindow.postMessage({ token }, "*");

โœ… Correctโ€‹

otherWindow.postMessage({ token }, "https://example.com");

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },
rules: {
"sdl/no-postmessage-star-origin": "error",
},
},
];

When not to use itโ€‹

Disable only in controlled test harnesses where wildcard messaging is required.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R024