@movable/eslint-plugin-no-wildcard-postmessage
v1.0.0
Published
custom ESLint rule to disallows calling postMessage to wildcard targets
Downloads
2,552
Readme
Disallow wildcard targets for postMessage (no-wildcard-postmessage)
This function disallows unsafe coding practices that may result into security vulnerabilities.
We will postMessage calls that contain a target origin of "*"
.
Rule Details
Disallowed:
frame.postMessage(obj, "*");
A few examples of allowed practices:
frame.postMessage(obj, "http://domain.tld");
// in a worker:
postMessage(obj);
This rule is being used within Mozilla to maintain and improve the security of the Firefox OS front-end codebase Gaia. Further documentation, which includes references to the escaping functions can be found on MDN.