HTML5 adds the ability to send messages to documents served from other domains. According to the specification:

Authors should not use the wildcard keyword ( *) in the targetOrigin argument in messages that contain any confidential information, as otherwise there is no way to guarantee that the message is only delivered to the recipient to which it was intended.

To mitigate the risk of sending sensitive information to a document served from a hostile or unknown domain, this rule raises an issue each time Window.postMessage is used.

Noncompliant Code Example

var myWindow = document.getElementById('myIFrame').contentWindow;
myWindow.postMessage(message, "*"); // Noncompliant; how do you know what you loaded in 'myIFrame' is still there?

See