Merge pull request #326 from whiteout-io/dev/WO-961

[WO-03-008] Fix no Origin Checks for postMessage Communication (High)

src/js/controller/app/read-sandbox.js

@@ -12,6 +12,11 @@ DOMPurify.addHook('afterSanitizeAttributes', function(node) {
 window.onmessage = function(e) {
     var html = '';
 
+    // ignore messages from other origins to prevent XSS
+    if (e.origin !== location.origin) {
+        return;
+    }
+
     if (e.data.html) {
         // display html mail body
         html = e.data.html;