This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: javascript-browser-security/event-check-origin

Language: JavaScript

Severity: Warning

Category: Security

CWE: 346

Description

Not checking the rule origin can lead to XSS attacks. Always check the event origin.

Learn More

Non-Compliant Code Examples

window.addEventListener('message', (event) => {
  processing();
})

Compliant Code Examples

window.addEventListener('message', (event) => {
  if (event.origin != 'https://app.domain.tld') {
    throw new Error('invalid origin')
  }

  processing();
})
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis