fix: bookmarklet postMessage rejected by origin check

[kraftbj]

Summary

Fixes #135. The bookmarklet's postMessage to the Press This popup was silently dropped, leaving the editor empty (no title, no content, no media, no selection) whenever the bookmarklet was the source of data — i.e. the normal flow.

Root cause

src/App.js's message handler required the message origin to equal the popup's own origin:

if ( event.origin !== window.location.origin ) {
    return;
}

The bookmarklet runs on whatever third-party page the user is on (ma.tt, youtube.com, …), so event.origin is always cross-origin to the WordPress site. Every legitimate bookmarklet message was rejected.

The check came in as a hardening pass in PR #100 (commit a55f050, "Add event.origin check on the postMessage listener"). The intent was right (don't let arbitrary pages forge press-this-data messages); the implementation was wrong for this transport.

The bug landed in trunk on Apr 3, after the 2.0.2 release on Mar 25. Stable users on 2.0.2 are unaffected — this only impacts trunk and 2.1.0-beta.

Fix

Validate the message source instead of its origin:

if ( ! window.opener || event.source !== window.opener ) {
    return;
}

Only the window that opened this popup (the bookmarklet's window) holds a Window reference to it via window.open(), so identity-checking against window.opener keeps the spoofing protection without rejecting cross-origin senders.

Tests

Added tests/components/app-postmessage.test.js with three cases that mount <App /> with stubbed children and dispatch MessageEvents:

1. Cross-origin opener with valid press-this-data payload → handler runs (asserted via the validate-embeds fetch firing). This test fails on trunk and passes after the fix — exactly the regression to guard against.
2. Non-opener source (separate iframe Window) with otherwise-valid payload → rejected. Locks in spoofing protection so a future change can't drop the source check.
3. Opener with the wrong event.data.type → rejected.

Test plan

• npm run test:unit — all 364 tests pass
• npm run lint — clean
• Manual: install on a test site, run the bookmarklet on a third-party page (ma.tt, a YouTube watch URL, etc.), confirm scraped title/selection/media populate the editor.
• Manual: confirm pm=1 URL still works when proxy is enabled (the auto-scan path is independent and was working).
• Manual: confirm the wn=1 window.name fallback (popup-blocked / mobile) is unaffected — it doesn't go through the postMessage handler.

[Copilot]

Pull request overview

Fixes a regression where the Press This popup rejected all bookmarklet postMessage payloads due to an overly strict same-origin check, leaving the editor empty in the normal bookmarklet flow. The handler now validates the message source window (the opener) rather than requiring same-origin, and adds focused unit tests to prevent the regression.

Changes:

• Update App’s message event handler to accept cross-origin bookmarklet messages by requiring event.source === window.opener.
• Add a unit test suite covering: cross-origin opener acceptance, non-opener rejection, and wrong-type rejection.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
src/App.js	Replaces origin-based filtering with opener/source identity gating for bookmarklet postMessage.
tests/components/app-postmessage.test.js	Adds regression tests for the postMessage receive path and spoofing protection.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.