AGI-Corporation · AGI-Corporation · Mar 7, 2026 · Mar 7, 2026 · Mar 7, 2026 · Mar 7, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2026-03-01 - [OAuth postMessage Origin Hardening]
+**Vulnerability:** Insecure use of `postMessage` with wildcard origin (`'*'`) and weak origin validation using `startsWith`.
+**Learning:** OAuth redirect handlers often use `window.opener.postMessage` to send authorization codes back to the main application window. Using `'*'` allows any site that can open or reference the redirect window to intercept these codes. Furthermore, using `startsWith` for origin validation is bypassable (e.g., `https://trusted.com.attacker.com` starts with `https://trusted.com`).
+**Prevention:** Always use a specific target origin in `postMessage` calls. For origin validation in message listeners, use strict equality with a derived origin from a trusted URL (e.g., `new URL(trustedUrl).origin === event.origin`). Always add safety checks for URL parsing.
diff --git a/packages/react-ui/src/app/routes/redirect.tsx b/packages/react-ui/src/app/routes/redirect.tsx
@@ -13,7 +13,7 @@ const RedirectPage: React.FC = React.memo(() => {
         {
           code: code,
         },
-        '*',
+        window.location.origin,
       );
     }
   }, [location.search]);

diff --git a/packages/react-ui/src/lib/oauth2-utils.ts b/packages/react-ui/src/lib/oauth2-utils.ts
@@ -71,12 +71,20 @@ function constructUrl(params: OAuth2PopupParams, pckeChallenge: string) {
   return url.toString();
 }
 
-function getCode(redirectUrl: string): Promise<string> {
+function getCode(redirectUrl: string | undefined): Promise<string> {
   return new Promise<string>((resolve) => {
     window.addEventListener('message', function handler(event) {
+      if (!redirectUrl) {
+        return;
+      }
+      let origin;
+      try {
+        origin = new URL(redirectUrl).origin;
+      } catch (e) {
+        return;
+      }
       if (
-        redirectUrl &&
-        redirectUrl.startsWith(event.origin) &&
+        origin === event.origin &&
         event.data['code']
       ) {
         resolve(decodeURIComponent(event.data.code));

diff --git a/packages/server/api/src/app/app.ts b/packages/server/api/src/app/app.ts
@@ -250,12 +250,13 @@ export const setupApp = async (app: FastifyInstance): Promise<FastifyInstance> =
                 return reply.send('The code is missing in url')
             }
             else {
+                const origin = await domainHelper.getPublicUrl({})
                 return reply
                     .type('text/html')
                     .send(
                         `<script>if(window.opener){window.opener.postMessage({ 'code': '${encodeURIComponent(
                             params.code,
-                        )}' },'*')}</script> <html>Redirect succuesfully, this window should close now</html>`,
+                        )}' }, '${origin}')}</script> <html>Redirect succuesfully, this window should close now</html>`,
                     )
             }
         },
-Original file line number
+Diff line change
@@ Expand Up / @@ -13,7 +13,7 @@ const RedirectPage: React.FC = React.memo(() => { @@
             {
               code: code,
             },
-            '*',
+            window.location.origin,
           );
         }
       }, [location.search]);
@@ Expand Down @@