Important: This documentation covers Yarn 1 (Classic).
For Yarn 2+ docs and migration guide, see yarnpkg.com.

Package detail

eslint-plugin-no-wildcard-postmessage

mozfreddyb64.8kMPL-2.00.2.0

custom ESLint rule to disallows calling postMessage to wildcard targets

eslint, eslint-plugin, eslintplugin, lint, security

readme

Build Status

Disallow wildcard targets for postMessage (no-wildcard-postmessage)

This function disallows unsafe coding practices that may result into security vulnerabilities. We will postMessage calls that contain a target origin of "*".

Rule Details

Disallowed:

frame.postMessage(obj, "*");

A few examples of allowed practices:

frame.postMessage(obj, "http://domain.tld");
// in a worker:
postMessage(obj);

This rule is being used within Mozilla to maintain and improve the security of the Firefox OS front-end codebase Gaia. Further documentation, which includes references to the escaping functions can be found on MDN.