no-postmessage-without-origin-allowlist

Require explicit allowlisted origins for postMessage targetOrigin values.

Targeted pattern scope

postMessage calls without strict explicit target-origin allowlists.

What this rule reports

postMessage targetOrigin values that are wildcard or non-literal/dynamic.

Why this rule exists

Weak targetOrigin control can expose cross-origin data or command channels to malicious frames.

❌ Incorrect

target.postMessage(data, "*");

✅ Correct

target.postMessage(data, "https://example.com");

ESLint flat config example

import sdl from "eslint-plugin-sdl-2";

export default [
 {
  plugins: { sdl },

  rules: {
   "sdl/no-postmessage-without-origin-allowlist": "error",
  },
 },
];

When not to use it

Disable only if the target origin is validated by a reviewed helper abstraction or a controlled embedding environment.

Package documentation

Rule source

Targeted pattern scope​

What this rule reports​

Why this rule exists​

❌ Incorrect​

✅ Correct​

ESLint flat config example​

When not to use it​

Package documentation​

Further reading​