Finding postMessage Origin Validation Failures in Production
How postMessage Breaks Origin Boundaries
window.postMessage is one of the few browser APIs that let different origins talk to each other. A page from app.example.com can send a message to an iframe from payments.example.com or even to a popup from a third-party OAuth provider. That's powerful, but it's also a trust boundary that breaks way too often in real apps. In this post I'll show you how to find missing origin validation failures in production, so you can close those gaps before an attacker does.
The big mistake is treating postMessage like a secure channel. It isn't. The API only guarantees delivery. It doesn't authenticate the sender, verify the message content, or enforce any access control. All of that is your responsibility, and I've seen production code get it wrong more times than not.
How Missing Origin Validation Creates Security Bugs
The core bug: a page listens for messages without ever checking where they came from.
window.addEventListener('message', (e) => {
// No origin check
document.getElementById('data').innerHTML = e.data.content;
});
Any origin can call otherWindow.postMessage(...) and the listener runs whatever logic the developer wrote. An attacker controlling a malicious page can open the target in an iframe or a popup, then fire messages at it—completely invisible during normal usage.
The missing validation isn't always as obvious as skipping e.origin entirely. Often it's present but broken in subtle ways.
Finding postMessage Origin Validation Gaps in Production
Crafting a Malicious postMessage Attack Page
I always start with a simple attacker page that uses postMessage: open the target in a new window or iframe, then blast messages at it. If the target responds or performs an action without an origin check, you've found step one.
const win = window.open('https://victim.com/app');
// wait for load, then post
win.postMessage({ action: 'deleteUser', userId: 1 }, '*');
If '*' as the targetOrigin works and the handler processes the payload, you already have an origin validation failure.
Using Browser DevTools to Find postMessage Listeners
Open DevTools on the target site, go to the Sources tab, and search for addEventListener('message'. That's the fastest way to find listeners in production code. You can also look for postMessage calls to find message senders. Set a breakpoint on the listener and watch e.origin, e.data, and e.source as you interact with the app normally.
Inspecting postMessage Traffic with Proxies and Interception Tools
When dealing with minified or obfuscated bundles, I route traffic through Burp or a similar proxy and look for strings like 'message' in response bodies. Browser extensions that log postMessage activity also help dump every message that fires on the page.
Common postMessage Origin Validation Mistakes You'll Find
e.origin === 'https://example.com' Done Wrong
A straight string comparison fails if the expected origin changes because of www/non-www, http vs https, or the port number. Even a trailing slash in the expected origin string breaks the check:
if (e.origin === 'https://example.com/') // never true; origin never has trailing slash
The origin property is a URL without a path, trailing slash, or query. Hardcoding the wrong string happens all the time.
Wildcard Checks and Loose Regex That Bypass Validation
You'll see patterns like:
if (e.origin.endsWith('example.com')) { ... }
An attacker registers attacker-example.com, which ends with example.com. The check passes. I've seen regex so loose it allows any subdomain, which is effectively a wildcard.
Trusting window.opener or window.parent Without Verification
Some developers think checking e.source === window.parent proves the message came from a trusted parent iframe. It only tells you the message came from that window reference, not that the window belongs to a legitimate origin. An attacker can embed your vulnerable iframe and become window.parent. They control both origin and source. That check is meaningless unless you also verify e.origin.
Turning a Missing Origin Check into a Real Attack in Minutes
The attack flow is straightforward:
- Host a malicious page on
attacker.com. - Embed the vulnerable target in an iframe or open it as a popup.
- Craft a
postMessagecall that triggers the vulnerable handler. - Deliver the link to a logged-in user.
If the handler trusts the message data blindly—setting innerHTML, navigating the page, or calling an authenticated API—the impact is direct. No CORS, no CSP, just raw trust that a message came from a friend. I've used this to steal tokens, inject DOM XSS, and reconfigure user settings in real production apps.
Defensive Patterns That Actually Hold Up
The fix isn't just adding an origin check. You need a precise allowlist and a way to handle messages from multiple expected origins.
const allowed = ['https://app.example.com', 'https://admin.example.com'];
window.addEventListener('message', (e) => {
if (!allowed.includes(e.origin)) return;
// Now handle e.data safely.
});
If you control both sender and receiver, passing a shared token or verifying the message structure with a cryptographic check is even better for security‑critical operations. As a baseline, a strict origin allowlist plus input validation inside the handler closes most of the attack surface.
Conclusion
postMessage enables cross-origin integrations nothing else can, but it's also one of the most abused APIs in frontend security. Production apps ship missing origin checks, broken string comparisons, and wildcard assumptions every day. Finding those failures only takes a few minutes of DevTools inspection and a simple attacker page. The defenses are boring—an origin allowlist, input validation, and dropping messages from unfamiliar origins—but they work.
