Context-Inappropriate Capability
Medium
- Confidence
- 96% confidence
- Finding
- The message listener enables or disables the editor solely based on event.data.type and does not validate event.origin, event.source, or any capability token. Any embedding page, iframe parent, or other window that can postMessage to this page can toggle editing mode, expanding the attack surface and allowing unauthorized UI manipulation of the document.
