Current setup is a PHP form which customers put in an iframe with a submit button. Chrome browser extensions like TopCashBack are sending message
events like:
{message: 'ACK_FRAME', targetId: 'bef025c4-852a-4b55-2ced-fcf777c43091'}
The fields sent come into this function:
function postFields(msg){
var receiver = document.getElementById('iframe-content').contentWindow;
receiver.postMessage(msg, 'https://my.websitecom');
}
Which this eventlistener is picking up.
if (window.addEventListener) {
window.addEventListener("SecureMessage", receiveMessage);
}
Thinking that I need to be checking the origin of the browser, or somehow block extension interactions with this page?