postMessage targetOrigin is not validated in hydra.js — XSS-capable page can spoof edit data



## Security — postMessage origin not validated in hydra.js bridge

### Problem
The hydra.js `message` event listener may not validate `event.origin` against the known Hydra admin origin. This allows any script on the same browser session to send spoofed edit payloads to the frontend iframe, injecting malicious content into the CMS.

### The fix is straightforward
The expected Hydra origin is already encoded in `window.name = 'hydra-edit:<origin>'`:
```js
const hydraOrigin = window.name.split(':').slice(1).join(':');
window.addEventListener('message', (event) => {
  if (event.origin !== hydraOrigin) return; // reject unknown origins
  // process event.data
});
```

### Audit request
Please audit ALL `addEventListener('message', ...)` handlers in hydra.js to confirm origin validation is applied consistently.

### Labels
`security`, `bug`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

postMessage targetOrigin is not validated in hydra.js — XSS-capable page can spoof edit data #198

Security — postMessage origin not validated in hydra.js bridge

Problem

The fix is straightforward

Audit request

Labels

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

postMessage targetOrigin is not validated in hydra.js — XSS-capable page can spoof edit data #198

Description

Security — postMessage origin not validated in hydra.js bridge

Problem

The fix is straightforward

Audit request

Labels

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions