From 66aa328d720a3ef7d1611f9aea67699c505fb4e7 Mon Sep 17 00:00:00 2001
From: Elliot Conte <elliot@sprig.com>
Date: Thu, 10 Apr 2025 00:11:28 -0400
Subject: [PATCH] Adds configuration of postmessage target origin for security
 purposes

---
 packages/rrweb/src/record/index.ts | 3 ++-
 packages/rrweb/src/types.ts        | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/packages/rrweb/src/record/index.ts b/packages/rrweb/src/record/index.ts
index 1308c378a6..c576fb45da 100644
--- a/packages/rrweb/src/record/index.ts
+++ b/packages/rrweb/src/record/index.ts
@@ -99,6 +99,7 @@ function record<T = eventWithTime>(
     keepIframeSrcFn = () => false,
     ignoreCSSAttributes = new Set([]),
     errorHandler,
+    postMessageTargetOrigin = '*',
   } = options;
 
   registerErrorHandler(errorHandler);
@@ -226,7 +227,7 @@ function record<T = eventWithTime>(
         origin: window.location.origin,
         isCheckout,
       };
-      window.parent.postMessage(message, '*');
+      window.parent.postMessage(message, postMessageTargetOrigin);
     }
 
     if (e.type === EventType.FullSnapshot) {
diff --git a/packages/rrweb/src/types.ts b/packages/rrweb/src/types.ts
index a03e326b6f..d167b075c2 100644
--- a/packages/rrweb/src/types.ts
+++ b/packages/rrweb/src/types.ts
@@ -74,6 +74,7 @@ export type recordOptions<T> = {
   mousemoveWait?: number;
   keepIframeSrcFn?: KeepIframeSrcFn;
   errorHandler?: ErrorHandler;
+  postMessageTargetOrigin?: string;
 };
 
 export type observerParam = {