Skip to content

unicorn/require-post-message-target-origin Suspicious ​

💡 A suggestion is available for this rule.

What it does ​

Enforce using the targetOrigin argument with window.postMessage()

Why is this bad? ​

When calling window.postMessage() without the targetOrigin argument, the message cannot be received by any window.

Examples ​

Examples of incorrect code for this rule:

js
window.postMessage(message);

Examples of correct code for this rule:

js
window.postMessage(message, "https://example.com");

window.postMessage(message, "*");

How to use ​

To enable this rule in the CLI or using the config file, you can use:

bash
oxlint --deny unicorn/require-post-message-target-origin
json
{
  "rules": {
    "unicorn/require-post-message-target-origin": "error"
  }
}

References ​

Released under the MIT License.