You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently we are using wildcard '*' while communicating with postMessage. It is not correct as it broadcasts messages to all.
We need to fix it so that communication can only be between out content script and webpage.
Here I have broadcasted a postMessage with select-identifier from webpage. I setup another extension that listened to this and alerted.
As postMessage is using wildcard, the select-identifier messages was broadcasted to every window. It could be exploited.
Currently we are using wildcard '*' while communicating with postMessage. It is not correct as it broadcasts messages to all.
We need to fix it so that communication can only be between out content script and webpage.
Relevant links:
https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#using_window.postmessage_in_extensions_non-standard
The text was updated successfully, but these errors were encountered: