Check origin in window.addEventListener('message') #12010

[yasmoradi]

closes #12010

Summary by CodeRabbit

• Bug Fixes
  • Improved message handling to prevent unintended processing of messages from other frames or windows, enhancing application stability and message integrity.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

Walkthrough

Adds a security gate to the message event listener that checks the origin of incoming messages and ignores cross-origin messages originating from within the window (iframes/tabs). Expands previous comment with detailed security rationale while preserving existing PUBLISH_MESSAGE handling logic.

Changes

Cohort / File(s)	Summary
Security Origin Check src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Scripts/events.ts	Added origin validation logic to message event handler; determines if message is from window and cross-origin, returning early if both conditions are true; replaced single-line comment with multi-line security explanation (+12/-1)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Poem

🐰 A message arrives at the window's door,
But we check its origin forevermore!
Cross-origin guests from within? Not today—
Security gates keep the bad ones at bay! 🔐

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Check origin in window.addEventListener('message') #12010' directly references the main security change and links to the issue.
Linked Issues check	✅ Passed	The code changes implement origin validation in window.addEventListener('message') as required by issue #12010 to prevent handling messages from untrusted sources.
Out of Scope Changes check	✅ Passed	All changes are focused on adding origin security validation to the message handler in events.ts, with no unrelated modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR addresses a security vulnerability by adding origin verification to the window message event listener. The change prevents potential Cross-Site Scripting (XSS) attacks by validating that messages received from the window context originate from the same domain, while still allowing trusted messages from service workers.

Changes:

• Added origin validation logic to check if messages come from the same origin when received via window.postMessage
• Added comprehensive documentation explaining the security rationale for window vs. service worker message handling
• Refactored comment placement for better code organization