Confirmed from main-F3P7IW5C.js (280,591 chars):
rrweb handleMessage() checks n.origin !== n.data.origin.
Since attacker controls BOTH fields, this check is trivially bypassed.
// rrweb cross-iframe recording handler (pos 173949):
handleMessage(t) {
let n = t;
// "origin check" — but n.data.origin is ATTACKER-CONTROLLED:
if (n.data.type !== "rrweb" || n.origin !== n.data.origin || !t.source) return;
// n.origin = "https://attack.netfragile.store" (real postMessage origin)
// n.data.origin = "https://attack.netfragile.store" (attacker embeds their OWN origin)
// n.origin === n.data.origin → CHECK PASSES → event processed!
let o = this.crossOriginIframeMap.get(t.source);
let i = this.transformCrossOriginEvent(o, n.data.event);
i && this.wrappedEmit(i, n.data.isCheckout); // EXECUTES INJECTED EVENTS
}
// Listeners 2 and 3 — NO origin check at attachment point:
recordCrossOriginIframes &&
window.addEventListener("message", this.handleMessage.bind(this))
t.contentWindow?.addEventListener("message", this.handleMessage.bind(this))
// Listener 1 — Sentry Replay dialog (ZERO origin check):
L.addEventListener("message", d) // processes any message from any origin
All PoC pages served from VPS 145.239.36.49 via nginx