Critiq Docs
Get started
security.browser

Avoid wildcard `postMessage` targets

`postMessage` calls should not use `*` as the target origin when they carry application data.

#Metadata

Rule ID
ts.security.postmessage-wildcard-origin
Severity
high
Confidence
0.95
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
browser, messaging, rules-catalog, security

#Why it matters

Wildcard targets allow the browser to deliver the message to any origin that receives the window reference.

#Remediation

Set the target origin to a strict expected origin instead of `*`.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.postmessage-wildcard-origin.rule.yaml.

Back to registryOpen rule in repository