When posting a message, explicitly state the expected origin as the second argument to postMessage rather than * in order to prevent sending the message to an unknown origin after a redirect or some other means of the target window’s origin changing.
The receiving page should always:
Check the origin attribute of the sender to verify the data is originating from the expected location.
Perform input validation on the data attribute of the event to ensure that it’s in the desired format.