How the web-to-extension bind bridge moved from permissive postMessage to strict origin + nonce validation with one-time fallback redemption.
By QuizMind Platform Team
Bridge handoff now requires strict target origin matching.
Nonce echoing is mandatory for result and error envelopes.
One-time redeem flow is available when opener messaging fails.
The extension bind bridge is the most sensitive public entrypoint because it converts a signed-in site session into installation-level credentials.
Any relaxed postMessage behavior increases risk, so we tightened transport checks before adding more extension-side automation.
The bridge validates target origin and rejects wildcard delivery.
Nonce correlation is applied to success and error payloads so the extension can verify envelope authenticity before persisting installation state.
A short-lived one-time fallback code can be redeemed once when direct postMessage handoff cannot complete.
Support teams can diagnose failed bridge handoffs by comparing requestId, nonce, and fallback redemption outcomes in logs.
The extension continues using installation tokens only; raw user bearer tokens are never passed into runtime extension state.