Discovered as part of https://gitlab.com/gitlab-com/gl-security/product-security/appsec/appsec-reviews/-/work_items/326+ (staff-only). The draw.io listener verifies `postMessage` source identity (`app/assets/javascripts/drawio/drawio_editor.js:183`), but not the actual origin of the message. Address with e.g. (and specs). ```javascript const expectedOrigin = new URL(drawIOEditorState.drawioUrl, window.location.href).origin; if (evt.origin !== expectedOrigin) { return; } ```