Critiq Docs
Get started
security.browser

Verify `message` event origins

`message` handlers should validate `event.origin` before trusting cross-window data.

#Metadata

Rule ID
ts.security.missing-message-origin-check
Severity
high
Confidence
0.92
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
browser, messaging, rules-catalog, security

#Why it matters

Without an origin check, hostile pages can post crafted messages into the handler.

#Remediation

Gate the handler on a strict allowlist of expected origins before reading `event.data`.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.missing-message-origin-check.rule.yaml.

Back to registryOpen rule in repository