Skip to content

Security: Cross-window messaging uses wildcard target origin#499

Open
tuanaiseo wants to merge 1 commit intohediet:mainfrom
tuanaiseo:contribai/fix/security/cross-window-messaging-uses-wildcard-tar
Open

Security: Cross-window messaging uses wildcard target origin#499
tuanaiseo wants to merge 1 commit intohediet:mainfrom
tuanaiseo:contribai/fix/security/cross-window-messaging-uses-wildcard-tar

Conversation

@tuanaiseo
Copy link
Copy Markdown

@tuanaiseo tuanaiseo commented Apr 3, 2026

Problem

Plugin messaging sends data with postMessage(..., "*"), which does not constrain recipients by origin. Sensitive actions/events (including command invocation flows) can be exposed to unintended origins if window relationships change or are abused.

Severity: high
File: drawio-custom-plugins/src/vscode.ts

Solution

Use a strict expected origin instead of "*", and enforce origin checks on both senders and receivers.

Changes

  • drawio-custom-plugins/src/vscode.ts (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

@tuanaiseo
fix(security): cross-window messaging uses wildcard target origin
6a1478c 
Plugin messaging sends data with `postMessage(..., "*")`, which does not constrain recipients by origin. Sensitive actions/events (including command invocation flows) can be exposed to unintended origins if window relationships change or are abused.

Affected files: vscode.ts

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tuanaiseo