From 1e7d54f7fb3b6ced43ec01e36f27424faa3ed99f Mon Sep 17 00:00:00 2001
From: Alec Rippberger <127791530+alec-livefront@users.noreply.github.com>
Date: Thu, 10 Apr 2025 14:55:26 -0500
Subject: [PATCH] fix(auth): [PM-1779] replace wildcard with
 window.location.origin in postMessage

Improve security by using specific origin instead of wildcard in postMessage calls to prevent potential information leakage to third parties.

PM-1779
---
 apps/web/src/connectors/duo-redirect.ts | 2 +-
 apps/web/src/connectors/sso.ts          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/web/src/connectors/duo-redirect.ts b/apps/web/src/connectors/duo-redirect.ts
index b5300ff65e7..c19e056d306 100644
--- a/apps/web/src/connectors/duo-redirect.ts
+++ b/apps/web/src/connectors/duo-redirect.ts
@@ -33,7 +33,7 @@ window.addEventListener("load", async () => {
 
     displayHandoffMessage(client);
   } else if (client === "browser") {
-    window.postMessage({ command: "duoResult", code: code, state: state }, "*");
+    window.postMessage({ command: "duoResult", code, state }, window.location.origin);
     displayHandoffMessage(client);
   } else if (client === "mobile" || client === "desktop") {
     if (client === "desktop") {
diff --git a/apps/web/src/connectors/sso.ts b/apps/web/src/connectors/sso.ts
index 4fdab71be3b..886742c4c49 100644
--- a/apps/web/src/connectors/sso.ts
+++ b/apps/web/src/connectors/sso.ts
@@ -32,7 +32,7 @@ function initiateWebAppSso(code: string, state: string) {
 }
 
 function initiateBrowserSso(code: string, state: string, lastpass: boolean) {
-  window.postMessage({ command: "authResult", code: code, state: state, lastpass: lastpass }, "*");
+  window.postMessage({ command: "authResult", code, state, lastpass }, window.location.origin);
   const handOffMessage = ("; " + document.cookie)
     .split("; ssoHandOffMessage=")
     .pop()