From 7cd0942c117d9f63e772c47bc89633c369f0e7e0 Mon Sep 17 00:00:00 2001
From: Sergey Konovalov <Sergey.Konovalov@onlyoffice.com>
Date: Sun, 30 Nov 2025 18:47:09 +0300
Subject: [PATCH] [feature] Avoid wildcard origin in postMessage

---
 .../client/src/pages/AiIntegration/js/plugins-sdk.js       | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/AdminPanel/client/src/pages/AiIntegration/js/plugins-sdk.js b/AdminPanel/client/src/pages/AiIntegration/js/plugins-sdk.js
index 1253fd17..f1bf28bd 100644
--- a/AdminPanel/client/src/pages/AiIntegration/js/plugins-sdk.js
+++ b/AdminPanel/client/src/pages/AiIntegration/js/plugins-sdk.js
@@ -23,7 +23,7 @@ let settingsButton = null;
 function sendMessageToFrame(iframeId, data) {
   const frame = document.getElementById(iframeId);
   if (frame) {
-    frame.contentWindow.postMessage(JSON.stringify(data), '*');
+    frame.contentWindow.postMessage(JSON.stringify(data), window.location.origin);
   }
 }
 
@@ -32,6 +32,11 @@ function sendMessageToFrame(iframeId, data) {
  * @param {MessageEvent} event - The message event
  */
 function receiveMessage(event) {
+  if (event.origin !== window.location.origin) {
+    console.warn('Rejected postMessage from untrusted origin:', event.origin);
+    return;
+  }
+
   if (typeof event.data !== 'string') {
     return;
   }