Your page listens for message events. The legit sender is
https://app.example.com. Pick a validation strategy and see which sender origins are
accepted — and which dangerous look-alikes slip through to the
el.innerHTML = data.html sink.
{ type: 'render', html: '<img src=x onerror="fetch(/steal?c=+document.cookie)">' }
| Sender origin | Verdict | Consequence |
|---|
targetOrigin leak?
You open a popup for auth and post a token to it. targetOrigin is a delivery
precondition: the browser drops the message if the target window's current origin doesn't match.
Pick both and see what happens.
—