F-001 PoC — Tea SDK postMessage substring origin bypass

Origin:

Target

Message to send

Raw text sent verbatim via popup.postMessage(text, "*"). Tea SDK's pi() parses the data field as JSON if it's a string, so it accepts both JSON-string and other formats.

Presets — click to load into the textarea above

Log