The verify widget's postMessage bridge learns the parent origin from the first fivucsas:config message and trusts it thereafter; the declared allowedOrigin allowlist field is never validated. The only protection is nginx frame-ancestors. A page that frames the widget and is first to post a config can establish a malicious parentOrigin.
Evidence (origin/main): src/verify-app/postMessageBridge.ts:157-177 (parentOrigin set once on first config; no allowlist check).
Fix: validate the incoming origin against the configured allowedOrigin allowlist before accepting it as parentOrigin (don't rely solely on frame-ancestors).
Source: MASTER_ISSUE_REGISTER_2026-06-03 (WEB-8), re-verified on origin/main 2026-06-13.
The verify widget's postMessage bridge learns the parent origin from the first
fivucsas:configmessage and trusts it thereafter; the declaredallowedOriginallowlist field is never validated. The only protection is nginxframe-ancestors. A page that frames the widget and is first to post a config can establish a malicious parentOrigin.Evidence (origin/main):
src/verify-app/postMessageBridge.ts:157-177(parentOrigin set once on first config; no allowlist check).Fix: validate the incoming origin against the configured
allowedOriginallowlist before accepting it as parentOrigin (don't rely solely on frame-ancestors).Source: MASTER_ISSUE_REGISTER_2026-06-03 (WEB-8), re-verified on origin/main 2026-06-13.