flawed, an attacker’s message data can reach dangerous pieces of code. • See “The pitfalls of postMessage” by Mathias Karlsson for common origin validation bypasses.
to receive messages from external web sites (e.g. translator services) or within the same origin (especially in developer tools extensions) • postMessage data can be passed into background script context, and in some cases even reach OS via Native Messaging API