This folder contains a research document (postMessage penTest.docx) covering security considerations around the window.postMessage API, which was relatively new at the time. The notes explored questions like: what happens when the target origin is *? How do receivers validate the event.origin property? Are there ways to spoof or confuse the origin check? The research was more of a methodology document than a single bug — a guide to how a penetration tester should approach postMessage-using applications to find missing or incorrect origin validation.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.