fix(app): add source validation to default PostMessageTransport

ochafik · ochafik · commit e3c01ae93028 · 2026-01-07T14:09:34.000Z
App.connect() now passes window.parent as both eventTarget and eventSource,
enabling source validation by default. This ensures apps only accept
messages from their parent window, preventing potential cross-app
message spoofing attacks.

Previously, the default transport only specified the target but not the
source for validation, meaning apps would accept messages from ANY window.
diff --git a/src/app.ts b/src/app.ts
@@ -1027,7 +1027,7 @@ export class App extends Protocol<AppRequest, AppNotification, AppResult> {
    * @see {@link PostMessageTransport} for the typical transport implementation
    */
   override async connect(
-    transport: Transport = new PostMessageTransport(window.parent),
+    transport: Transport = new PostMessageTransport(window.parent, window.parent),
     options?: RequestOptions,
   ): Promise<void> {
     await super.connect(transport);
