This is to secure the event listener to make sure the origin is in the allowed origin list. Currently, all messages are routed from iframe to parent and the iframe postal instance can't restrict by allowed origins.
I am suggesting this additional check because failure to check the origin and possibly source properties enables cross-site scripting attacks.
This is to secure the event listener to make sure the origin is in the allowed origin list. Currently, all messages are routed from iframe to parent and the iframe postal instance can't restrict by allowed origins.
I am suggesting this additional check because failure to check the origin and possibly source properties enables cross-site scripting attacks.