require-post-message-target-origin

📝 Enforce using the targetOrigin argument with window.postMessage().

🚫 This rule is disabled in the following configs: ✅ recommended, ☑️ unopinionated.

💡 This rule is manually fixable by editor suggestions.

When calling window.postMessage() without the targetOrigin argument, the message cannot be received by any window.

This rule cannot distinguish between window.postMessage() and other calls like Worker#postMessage(), MessagePort#postMessage(), Client#postMessage(), and BroadcastChannel#postMessage(). Use on your own risk.

Examples

// ❌
window.postMessage(message);

// ✅
window.postMessage(message, 'https://example.com');

// ✅
window.postMessage(message, '*');