security: validate sender URL for popup-only messages

src/background/index.js

@@ -635,6 +635,21 @@ runtime.onMessage.addListener((msg, sender, sendResponse) => {
         return true;
     }
 
+    // Validate that popup-only messages originate from the extension itself.
+    const POPUP_ONLY_TYPES = [
+        "AUTISTMASK_GET_APPROVAL",
+        "AUTISTMASK_APPROVAL_RESPONSE",
+        "AUTISTMASK_TX_RESPONSE",
+        "AUTISTMASK_SIGN_RESPONSE",
+    ];
+    if (POPUP_ONLY_TYPES.includes(msg.type)) {
+        const extUrl = runtime.getURL("");
+        if (!sender.url || !sender.url.startsWith(extUrl)) {
+            sendResponse({ error: "Unauthorized sender" });
+            return false;
+        }
+    }
+
     if (msg.type === "AUTISTMASK_GET_APPROVAL") {
         const approval = pendingApprovals[msg.id];
         if (approval) {