DevExpress · Bayheck · Jan 13, 2026 · Jan 8, 2026 · Jan 11, 2026 · Jan 12, 2026
diff --git a/src/client/sandbox/event/message.ts b/src/client/sandbox/event/message.ts
@@ -215,6 +215,14 @@ export default class MessageSandbox extends SandboxBase {
     postMessage (contentWindow: Window, args) {
         const targetUrl = args[1] || destLocation.getOriginHeader();
 
+        // NOTE: We do NOT support the postMessage(message, options) overload.
+        // The second argument is expected to be `targetOrigin` (string).
+        // If an options object is provided instead, the call is considered invalid and will be aborted.
+        if (typeof targetUrl !== 'string') {
+            nativeMethods.consoleMeths.log(`testcafe-hammerhead: postMessage called with invalid targetOrigin; aborting call (type: ${typeof targetUrl})`);
+            return null;
+        }
+
         // NOTE: Here, we pass all messages as "no preference" ("*").
         // We do an origin check in "_onWindowMessage" to access the target origin.
         args[1] = '*';

diff --git a/test/client/fixtures/sandbox/event/message-test.js b/test/client/fixtures/sandbox/event/message-test.js
@@ -35,6 +35,22 @@ asyncTest('should pass "transfer" argument for "postMessage" (GH-1535)', functio
     callMethod(window, 'postMessage', ['test', '*', [channel.port1]]);
 });
 
+asyncTest('should not accept an object as "targetOrigin"', function () {
+    var called = false;
+    var handler = function () {
+        called = true;
+    };
+
+    window.addEventListener('message', handler);
+    callMethod(window, 'postMessage', ['message', { test: 1 }]);
+
+    window.setTimeout(function () {
+        ok(!called, 'message should not be delivered');
+        window.removeEventListener('message', handler);
+        start();
+    }, 100);
+});
+
 asyncTest('onmessage event', function () {
     var count = 0;