Is it essential to specify targetOrigin when using window.parent.postMessage() when sending non-sensitive data?

Question

I'm using

window.parent.postMessage(message, '*')

to send data that is not private/sensitive to external websites (the message is the height an iframe should be, i.e. importantly, it's not user info or anything sensitive like that).

My current understanding of the risks

Using '*' for targetOrigin means any site could intercept that message.

Since (in my case) the message is not sensitive, this does not directly present any security risk, despite not being a best practice.

I'd have to be extremely careful not forget about this and ever send sensitive data via the message in the future. So long as I'm careful not to ever do that, this method will technically be completely safe (despite not being best practice).

Is my understanding correct?

Answer 1

I am completely new to this, but it appears the understanding outlined in the question above is indeed correct; at least according to this fantastic question and answer, the key bit being:

It isn't a risk per se. It just means that anybody can embed your content in a frame and read the messages you send over the API

Basically, * as targetOrigin means any site can see the data (i.e. message) you're sending, so as long as it's not anything sensitive/private/confidential then it's okay.

The reason it's not best practice is because you or another developer could send sensitive information in the future and may not realise that the targetOrigin is open to anyone, and hence it could leak confidential data. Hence why it's technically not essential but best practice to lock down targetOrigin to only the sites that you intend to allow access to the data being sent.