diff --git a/src/js/controller/app/read-sandbox.js b/src/js/controller/app/read-sandbox.js
index 0b32ed3..593b2ab 100644
--- a/src/js/controller/app/read-sandbox.js
+++ b/src/js/controller/app/read-sandbox.js
@@ -12,6 +12,11 @@ DOMPurify.addHook('afterSanitizeAttributes', function(node) {
 window.onmessage = function(e) {
     var html = '';
 
+    // ignore messages from other origins to prevent XSS
+    if (e.origin !== location.origin) {
+        return;
+    }
+
     if (e.data.html) {
         // display html mail body
         html = e.data.html;