From 74bdfc9639e7b5ecd4b9982f9db40c912ab6db8f Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Mar 2026 06:22:45 +0000
Subject: [PATCH 1/2] Initial plan


From 8fef7f0db2f073221c2fd8df1ce033290612991f Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Mar 2026 06:32:48 +0000
Subject: [PATCH 2/2] fix: add origin check in postMessage handler to resolve
 alert 546

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/bc5f08b0-d798-4818-af81-78cd3b347f4e

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 docs/public/wasm/compiler-worker.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/public/wasm/compiler-worker.js b/docs/public/wasm/compiler-worker.js
index 5d9349a151c..d244af4fb72 100644
--- a/docs/public/wasm/compiler-worker.js
+++ b/docs/public/wasm/compiler-worker.js
@@ -85,6 +85,12 @@
    * Handle incoming messages from the main thread.
    */
   self.onmessage = async function (event) {
+    // Only accept messages from the same origin (or the dedicated-worker
+    // empty-string origin) to prevent cross-origin attacks.
+    if (event.origin && event.origin !== self.location.origin) {
+      return;
+    }
+
     var msg = event.data;
 
     if (msg.type !== 'compile') {