VideoPress: Clean up postMessage bridge code

[obenland]

Fixes #

Proposed changes:

• Replace targetOrigin: '*' with validated event.origin in token bridge JWT delivery
• Add origin validation to player bridge listening path and block editor message listeners
• Extract shared videopress-allowed-origins module with isAllowedOrigin() type guard
• Remove dead legacy videopress-token-bridge.js and its webpack entry
• Add comprehensive test suites for both token bridge (15 tests) and player bridge (7 tests)

Other information:

Security-adjacent cleanup of postMessage handlers. The token bridge was sending JWTs with targetOrigin: '*' — now uses the validated origin. Message listeners in the block editor hooks lacked origin checks (low risk since they're on SandBox contentWindow, but added for defense-in-depth).

No functional changes to the user-facing video player behavior.

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

N/A — security-adjacent cleanup, no product changes.

Does this pull request change what data or activity we track or use?

No. This PR does not change what data or activity we track or use. It only tightens origin validation on existing postMessage communication between the VideoPress player iframe and the host page.

Testing instructions:

1. Open the block editor with a VideoPress video block
2. Verify the video player loads and plays correctly
3. Enable debug logging: localStorage.debug = 'videopress:*' and reload
4. Confirm token bridge messages show the validated origin (not *)
5. Run cd projects/packages/videopress && pnpm test — all 139 tests pass

Changelog

• Generate changelog entries for this PR (using AI).

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack), and enable the update/videopress-postmessage-cleanup branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack update/videopress-postmessage-cleanup

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

[Copilot]

Pull request overview

Security-focused cleanup of VideoPress postMessage bridges to reduce cross-origin risk (notably avoiding targetOrigin: '*' when sending JWTs), centralize origin allowlisting, and add unit tests around the bridge behaviors.

Changes:

• Introduce a shared videopress-allowed-origins module and apply origin validation across token/player bridges and block editor listeners.
• Update the token bridge to reply using the validated event.origin (instead of *) and remove the legacy videopress-token-bridge.js + webpack entry.
• Add new Jest test suites for token bridge and player bridge; improve token fetch failure logging in get-media-token.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
projects/packages/videopress/webpack.config.js	Removes the legacy token bridge webpack entry.
projects/packages/videopress/src/client/lib/videopress-token-bridge.js	Deletes unused legacy token bridge implementation.
projects/packages/videopress/src/client/lib/videopress-allowed-origins.ts	Adds shared allowlist + isAllowedOrigin() type guard.
projects/packages/videopress/src/client/lib/token-bridge/index.ts	Validates origin and uses validated targetOrigin for JWT delivery; adds try/catch around token fetch.
projects/packages/videopress/src/client/lib/token-bridge/test/index.test.ts	Adds coverage for origin validation and non-wildcard targetOrigin behavior.
projects/packages/videopress/src/client/lib/player-bridge/index.ts	Adds origin validation for listening events via shared allowlist.
projects/packages/videopress/src/client/lib/player-bridge/test/index.test.ts	Adds tests for listening/emitting behaviors and origin filtering.
projects/packages/videopress/src/client/lib/get-media-token/index.ts	Switches token request failure logging from console.warn to debug.
projects/packages/videopress/src/client/block-editor/hooks/use-video-player/index.ts	Adds origin validation to message listener in the editor hook.
projects/packages/videopress/src/client/block-editor/blocks/video/components/poster-panel/index.tsx	Makes postMessage target origin explicit ('*').
projects/packages/videopress/src/client/block-editor/blocks/video/components/player/index.tsx	Adds origin validation for the player loading-state listener.
projects/packages/videopress/changelog/harden-videopress-postmessage-security	Adds a patch changelog entry describing the hardening.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jp-launch-control]

Code Coverage Summary

Coverage changed in 4 files.

File	Coverage	Δ%	Δ Uncovered
projects/packages/videopress/src/client/block-editor/hooks/use-video-player/index.ts	31/77 (40.26%)	-2.80%	5 💔
projects/packages/videopress/src/client/block-editor/blocks/video/components/player/index.tsx	43/77 (55.84%)	-1.49%	2 ❤️‍🩹
projects/packages/videopress/src/client/lib/player-bridge/index.ts	18/18 (100.00%)	100.00%	-19 💚
projects/packages/videopress/src/client/lib/token-bridge/index.ts	45/51 (88.24%)	88.24%	-44 💚

1 file is newly checked for coverage.

File	Coverage
projects/packages/videopress/src/client/lib/videopress-allowed-origins.ts	2/2 (100.00%) 💚

Full summary · PHP report · JS report

_{If appropriate, add one of these labels to override the failing coverage check: Covered by non-unit tests Use to ignore the Code coverage requirement check when E2Es or other non-unit tests cover the code Coverage tests to be added later Use to ignore the Code coverage requirement check when tests will be added in a follow-up PR I don't care about code coverage for this PR Use this label to ignore the check for insufficient code coveage.}

[Copilot]

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.