Home

Awesome

Build Status

Disallow wildcard targets for postMessage (no-wildcard-postmessage)

This function disallows unsafe coding practices that may result into security vulnerabilities. We will postMessage calls that contain a target origin of "*".

Rule Details

Disallowed:

frame.postMessage(obj, "*");

A few examples of allowed practices:

frame.postMessage(obj, "http://domain.tld");
// in a worker:
postMessage(obj);

This rule is being used within Mozilla to maintain and improve the security of various front-end codebases.