src/background/index.js

@@ -617,7 +617,19 @@ if (windowsApi && windowsApi.onRemoved) {
 // Listen for messages from content scripts and popup
 runtime.onMessage.addListener((msg, sender, sendResponse) => {
     if (msg.type === "AUTISTMASK_RPC") {
-        handleRpc(msg.method, msg.params, msg.origin).then((response) => {
+        // Derive origin from trusted sender info to prevent origin spoofing.
+        // Chrome MV3 provides sender.origin; Firefox MV2 fallback uses sender.tab.url.
+        let trustedOrigin = msg.origin; // fallback only if sender info unavailable
+        if (sender.origin) {
+            trustedOrigin = sender.origin;
+        } else if (sender.tab && sender.tab.url) {
+            try {
+                trustedOrigin = new URL(sender.tab.url).origin;
+            } catch {
+                // keep fallback
+            }
+        }
+        handleRpc(msg.method, msg.params, trustedOrigin).then((response) => {
             sendResponse(response);
         });
         return true;