Web applications relying on JavaScript often need to perform cross-origin communication between `Window` objects such as a page and an embedded iframe or a popup window. The postMessage API allows developers to circumvent the same-origin policy restrictions in order to exchange data between scripts located on different origins.
Depending on the application needs, the messages can be sent to the wildcard origin `*`, allowing any other object to read it. However, if the data sent through postMessage() are not intended to be public, an attacker could leverage this issue to capture sensitive data from a target web application.Read More