Important: This documentation covers Yarn 1 (Classic).
For Yarn 2+ docs and migration guide, see yarnpkg.com.

Package detail

@movable/eslint-plugin-no-wildcard-postmessage

mozfreddyb4.3kMPL-2.01.0.0

custom ESLint rule to disallows calling postMessage to wildcard targets

eslint, eslint-plugin, eslintplugin, lint, security

readme

Build Status

Disallow wildcard targets for postMessage (no-wildcard-postmessage)

This function disallows unsafe coding practices that may result into security vulnerabilities. We will postMessage calls that contain a target origin of "*".

Rule Details

Disallowed:

frame.postMessage(obj, "*");

A few examples of allowed practices:

frame.postMessage(obj, "http://domain.tld");
// in a worker:
postMessage(obj);

This rule is being used within Mozilla to maintain and improve the security of the Firefox OS front-end codebase Gaia. Further documentation, which includes references to the escaping functions can be found on MDN.

changelog

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

1.0.0 (2020-04-21)