osra treats peers as semi-trusted: malformed payloads are handled cleanly, origin filters window messages in both directions, but nothing on the wire is authentication. This page spells out exactly which guarantees each option gives you, and which it does not.
On window transports, origin (default '*') does two things: it is the postMessagetargetOrigin for outbound envelopes, and inbound messages whose event.origin doesn’t match are dropped:
Always set origin for cross-origin window messaging. Two caveats:
Events without an origin (worker messages, custom transports) bypass the check; it is only meaningful where the platform stamps event.origin. Non-window transports (Worker, MessagePort, WebSocket, ServiceWorkerContainer, WebExtension, custom) are not origin-filtered; WebSocket/ServiceWorker events carry their own unrelated origins, so filtering there would be a footgun.
One outbound exception: the unsolicited announce beacon is posted with targetOrigin'*' regardless of the configured origin. Until a freshly created cross-origin iframe commits its document, its window still holds the initial about:blank (which inherits the embedder’s origin), so a strict targetOrigin would be dropped by the browser with a mismatch error on every retry.
This is safe because:
the beacon carries only channel identifiers (key, name, uuid), no data,
whatever answers it must still pass the inbound origin filter,
every other envelope (announce replies, init, messages, close) is only sent after the peer’s own message proved its committed origin, and keeps the strict targetOrigin.
Consequence: a wrong-origin embedder can observe the beacon’s identifiers, but cannot complete a handshake or receive any data.
runtime.onMessage / onConnect listeners receive untrusted input when paired with onMessageExternal / onConnectExternal. osra does no sender validation; the MessageContext passed to custom receive listeners exposes sender, and you must check sender.id / sender.url yourself before letting messages reach an exposed value. See low-level messaging for the MessageContext shape.
spoof envelope uuids to address your connections, including sending { type: 'close' } to tear down another peer’s connection,
feed malformed boxes (which reject your handshake),
call anything you exposed,
flood you with announces or port traffic.
DoS-hardening is not complete. Don’t expose privileged functions on channels where untrusted code can post; on windows, pin origin; in extensions, validate senders.