Skip to content

Security: widget postMessage bridge uses trust-on-first-use; declared allowedOrigin allowlist never validated #227

Description

@ahmetabdullahgultekin

The verify widget's postMessage bridge learns the parent origin from the first fivucsas:config message and trusts it thereafter; the declared allowedOrigin allowlist field is never validated. The only protection is nginx frame-ancestors. A page that frames the widget and is first to post a config can establish a malicious parentOrigin.

Evidence (origin/main): src/verify-app/postMessageBridge.ts:157-177 (parentOrigin set once on first config; no allowlist check).

Fix: validate the incoming origin against the configured allowedOrigin allowlist before accepting it as parentOrigin (don't rely solely on frame-ancestors).

Source: MASTER_ISSUE_REGISTER_2026-06-03 (WEB-8), re-verified on origin/main 2026-06-13.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity-sensitive correctness or hardeningsurface/webweb-app (React dashboard + hosted login)

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions