From 27f16191b4cb90c985bcb1e380bc320950a1238d Mon Sep 17 00:00:00 2001
From: user <user@Mac.lan guest wan>
Date: Fri, 27 Feb 2026 11:58:57 -0800
Subject: [PATCH] fix(L4): use location.origin for postMessage, one-shot UUID
 listener

- Content script sends UUID via location.origin instead of "*"
- Inpage UUID listener removes itself after first message to prevent
  malicious pages from overriding the persisted UUID
---
 src/content/index.js  |  2 +-
 src/content/inpage.js | 10 ++++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/content/index.js b/src/content/index.js
index 960a1f6..cfa16e1 100644
--- a/src/content/index.js
+++ b/src/content/index.js
@@ -26,7 +26,7 @@ if (typeof browser !== "undefined") {
             uuid = crypto.randomUUID();
             storage.set({ eip6963Uuid: uuid });
         }
-        window.postMessage({ type: "AUTISTMASK_PROVIDER_UUID", uuid }, "*");
+        window.postMessage({ type: "AUTISTMASK_PROVIDER_UUID", uuid }, location.origin);
     });
 })();
 
diff --git a/src/content/inpage.js b/src/content/inpage.js
index bb9a88f..9a95012 100644
--- a/src/content/inpage.js
+++ b/src/content/inpage.js
@@ -9,7 +9,7 @@
     const pending = {};
 
     // Listen for responses from the content script
-    window.addEventListener("message", (event) => {
+    window.addEventListener("message", function onUuid(event) {
         if (event.source !== window) return;
         if (event.data?.type !== "AUTISTMASK_RESPONSE") return;
         const { id, result, error } = event.data;
@@ -24,7 +24,7 @@
     });
 
     // Listen for events pushed from the extension
-    window.addEventListener("message", (event) => {
+    window.addEventListener("message", function onUuid(event) {
         if (event.source !== window) return;
         if (event.data?.type !== "AUTISTMASK_EVENT") return;
         const { eventName, data } = event.data;
@@ -178,12 +178,14 @@
     }
 
     // Listen for the persisted UUID from the content script
-    window.addEventListener("message", (event) => {
+    function onProviderUuid(event) {
         if (event.source !== window) return;
         if (event.data?.type !== "AUTISTMASK_PROVIDER_UUID") return;
+        window.removeEventListener("message", onProviderUuid);
         providerUuid = event.data.uuid;
         announceProvider();
-    });
+    }
+    window.addEventListener("message", onProviderUuid);
 
     window.addEventListener("eip6963:requestProvider", announceProvider);
     announceProvider();