CodeQL documentation

Missing origin verification in postMessage handler

ID: js/missing-origin-check
Kind: problem
Severity: warning
Precision: medium
   - correctness
   - security
   - external/cwe/cwe-020
   - external/cwe/cwe-940
Query suites:
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

The "message" event is used to send messages between windows. An untrusted window can send a message to a trusted window, and it is up to the receiver to verify the legitimacy of the message. One way of performing that verification is to check the origin of the message ensure that it originates from a trusted window.


Always verify the origin of incoming messages.


The example below uses a received message to execute some code. However, the origin of the message is not checked, so it might be possible for an attacker to execute arbitrary code.

function postMessageHandler(event) {
    let origin = event.origin.toLowerCase();

    // BAD: the origin property is not checked

window.addEventListener('message', postMessageHandler, false);

The example is fixed below, where the origin is checked to be trusted. It is therefore not possible for a malicious user to perform an attack using an untrusted origin.

function postMessageHandler(event) {
    // GOOD: the origin property is checked
    if (event.origin === '') {
        // do something

window.addEventListener('message', postMessageHandler, false);


  • © GitHub, Inc.
  • Terms
  • Privacy