HTML5 adds the ability to send messages to documents served from other domains. According to the specification:
Authors should not use the wildcard keyword (*) in thetargetOriginargument in messages that contain any confidential information, as otherwise there is no way to guarantee that the message is only delivered to the recipient to which it was intended.
To mitigate the risk of sending sensitive information to a document served from a hostile or unknown domain, this rule raises an issue each time
Window.postMessage is used.
var myWindow = document.getElementById('myIFrame').contentWindow;
myWindow.postMessage(message, "*"); // Noncompliant; how do you know what you loaded in 'myIFrame' is still there?