New
Introducing React Doctor for Enterprise
Menu
What Is React Doctor?
Quickstart
CLI to CI
How to Fix Issues
GitHub Actions Setup
Updating CI
Other CI Providers
Migrating to CI v2
Config Files
ESLint & oxlint Plugins
CLI Reference
GitHub Action Reference
Node.js API
Changelog
Terms of Service
Privacy Policy
Data Use
Security
Support
Rules reference

react-doctor/postmessage-origin-risk

Reading `event.data` in a `message` handler without checking `event.origin` lets any other window send data your code trusts, which can lead to cross-site scripting or data theft.

  • Category: Security
  • Severity: warn
  • Source: oxlint-plugin-react-doctor
  • Framework: global
  • Enabled when: production source files (.js/.ts/.jsx/.tsx); test/scripts/docs/generated paths and any file path containing "worker" skipped

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires when a message handler — a *.addEventListener('message', ...) call or a *.onmessage = assignment — reads event.data (also matched on e/evt/msg/message.data) without an origin/sender check appearing before that read. An origin check is any origin reference (a helper call like isTrustedOrigin(event) or a destructured binding; original is excluded) or an event.source ===/!== comparison; if the check is ordered after the first .data read it still fires. Same-application channels are exempt — MessagePort/Worker/BroadcastChannel/WebSocket/EventSource/SSE targets (port, worker, channel, broadcast, socket, ws, sse, eventsource, self.onmessage, source.) and files whose path contains "worker" are skipped. FALSE POSITIVE: real origin validation the static check can't see textually before the read — e.g. it lives in a deeply nested helper whose name lacks "origin", or the first .data access is benign (logging) and a genuine guard follows; confirm only when event.data is consumed with no exact-origin allowlist check.

Fix prompt

Use this once validation confirms the diagnostic is real.

At the top of the handler, compare event.origin for exact equality against a known origin (if (event.origin !== EXPECTED_ORIGIN) return;), never an endsWith/includes/regex match an attacker domain can satisfy. Optionally also confirm event.source is the expected window or iframe. Treat any parent or child frame as attacker-controlled and read event.data only after the check passes.