Skip to content

Fix: Use wildcard origin for postMessage in sendReadyMessage#9

Merged
d-winter merged 1 commit into
mainfrom
fix/postmessage-wildcard-origin
Mar 4, 2026
Merged

Fix: Use wildcard origin for postMessage in sendReadyMessage#9
d-winter merged 1 commit into
mainfrom
fix/postmessage-wildcard-origin

Conversation

@d-winter
Copy link
Copy Markdown
Contributor

@d-winter d-winter commented Mar 4, 2026

Problem

Version 1.0.4 introduced wildcard support for allowedOrigins (e.g., http://localhost:*, https://*.hygraph.com), but this caused a runtime error:

SyntaxError: Failed to execute 'postMessage' on 'Window': Invalid target origin 'http://localhost:*' in a call to 'postMessage'.

The issue occurred because sendReadyMessage() tried to use wildcard patterns directly as the targetOrigin parameter in postMessage() calls. The browser's postMessage API only accepts:

  1. Specific origins (e.g., http://localhost:3000)
  2. The wildcard "*" to send to any origin

It cannot accept pattern strings like http://localhost:*.

Solution

Modified sendReadyMessage() in MessageBridge.ts to use "*" as the target origin instead of iterating through the allowedOrigins patterns.

Security

Security is maintained because:

  • The wildcard patterns in allowedOrigins are still used to validate incoming messages via isOriginAllowed()
  • Only messages from origins matching the wildcard patterns are accepted
  • Once connected (after receiving an init message), all subsequent messages use the specific validated origin

Changes

  • MessageBridge.ts: Changed sendReadyMessage() to use "*" as targetOrigin
  • MessageBridge.test.ts: Updated and added tests for the new behavior
  • Preview.ts: Updated SDK version to 1.0.5
  • package.json: Bumped version to 1.0.5

Testing

  • ✅ All 26 tests pass (including new wildcard validation tests)
  • ✅ TypeScript compilation succeeds with strict types
  • ✅ Build completes successfully
  • ✅ Published to npm as v1.0.5

🤖 Generated with Claude Code

@d-winter @claude
Fix: Use wildcard origin for postMessage in sendReadyMessage
b3fa103 
Fixes the SyntaxError that occurred when wildcard patterns (e.g.,
http://localhost:*, https://*.hygraph.com) were used directly as
targetOrigin in postMessage calls.

Changes:
- Modified sendReadyMessage to use "*" as targetOrigin instead of
  iterating through allowedOrigins patterns
- Security is maintained through origin validation in isOriginAllowed()
- Updated tests to reflect the new behavior
- Added tests for wildcard origin pattern validation
- Bumped version to 1.0.5

The postMessage API only accepts specific origins or "*", not pattern
strings with wildcards. Using "*" for the initial ready message is
safe because we validate all incoming messages against the wildcard
patterns in allowedOrigins.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@d-winter d-winter requested a review from a team as a code owner March 4, 2026 12:24
@d-winter d-winter merged commit e15c91c into main Mar 4, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@d-winter