fix(web): restrict postMessage targetOrigin from wildcard to specific origins (#30690)

Co-authored-by: XW <wei.xu1@wiz.ai>

web/app/components/base/chat/embedded-chatbot/header/index.tsx

@@ -66,7 +66,9 @@ const Header: FC<IHeaderProps> = ({
     const listener = (event: MessageEvent) => handleMessageReceived(event)
     window.addEventListener('message', listener)
 
-    window.parent.postMessage({ type: 'dify-chatbot-iframe-ready' }, '*')
+    // Security: Use document.referrer to get parent origin
+    const targetOrigin = document.referrer ? new URL(document.referrer).origin : '*'
+    window.parent.postMessage({ type: 'dify-chatbot-iframe-ready' }, targetOrigin)
 
     return () => window.removeEventListener('message', listener)
   }, [isIframe, handleMessageReceived])

web/hooks/use-oauth.ts

@@ -10,12 +10,15 @@ export const useOAuthCallback = () => {
     const errorDescription = urlParams.get('error_description')
 
     if (window.opener) {
+      // Use window.opener.origin instead of '*' for security
+      const targetOrigin = window.opener?.origin || '*'
+
       if (subscriptionId) {
         window.opener.postMessage({
           type: 'oauth_callback',
           success: true,
           subscriptionId,
-        }, '*')
+        }, targetOrigin)
       }
       else if (error) {
         window.opener.postMessage({
@@ -23,12 +26,12 @@ export const useOAuthCallback = () => {
           success: false,
           error,
           errorDescription,
-        }, '*')
+        }, targetOrigin)
       }
       else {
         window.opener.postMessage({
           type: 'oauth_callback',
-        }, '*')
+        }, targetOrigin)
       }
       window.close()
     }