Skip to main content

no-postmessage-without-origin-allowlist

Require explicit allowlisted origins for postMessage targetOrigin values.

Targeted pattern scopeโ€‹

postMessage calls without strict explicit target-origin allowlists.

What this rule reportsโ€‹

postMessage targetOrigin values that are wildcard or non-literal/dynamic.

Why this rule existsโ€‹

Weak targetOrigin control can expose cross-origin data or command channels to malicious frames.

โŒ Incorrectโ€‹

target.postMessage(data, "*");

โœ… Correctโ€‹

target.postMessage(data, "https://example.com");

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },

rules: {
"sdl/no-postmessage-without-origin-allowlist": "error",
},
},
];

When not to use itโ€‹

Disable only if the target origin is validated by a reviewed helper abstraction or a controlled embedding environment.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R044