fix: Handle messages only coming from the main frame to prevent spoofing from child iframes

Author: Tyschenko

android/src/main/java/com/reactnativecommunity/webview/RNCWebView.java

@@ -283,7 +283,9 @@ protected void createRNCWebViewBridge(RNCWebView webView) {
                     @Override
                     public void onPostMessage(@NonNull WebView view, @NonNull WebMessageCompat message,
                             @NonNull Uri sourceOrigin, boolean isMainFrame, @NonNull JavaScriptReplyProxy replyProxy) {
-                        RNCWebView.this.onMessage(message.getData(), sourceOrigin.toString());
+                        if (isMainFrame) {
+                          RNCWebView.this.onMessage(message.getData(), sourceOrigin.toString());
+                        }
                     }
                 };
                 WebViewCompat.addWebMessageListener(

apple/RNCWebViewImpl.m

@@ -779,7 +779,7 @@ - (void)userContentController:(WKUserContentController *)userContentController
       _disablePromptDuringLoading = NO;
     }
   } else if ([message.name isEqualToString:MessageHandlerName]) {
-    if (_onMessage) {
+    if (_onMessage && message.frameInfo.mainFrame) {
       NSMutableDictionary<NSString *, id> *event = [self baseEvent];
       [event addEntriesFromDictionary: @{@"data": message.body}];
       [event addEntriesFromDictionary: @{@"url": message.frameInfo.request.URL.absoluteString}];