Summary

mkdocs/contrib/search/templates/search/main.js replaces the global window.postMessage function in the fallback path used when window.Worker is unavailable. This destroys the native cross-origin messaging primitive for any other code running in the same browsing context for the lifetime of the page.

Affected file

mkdocs/contrib/search/templates/search/main.js (current master, also present in 1.5.3 and earlier — the override has been in place since the 2018 search refactor in dd7e2d9).

if (!window.Worker) {
  console.log('Web Worker API not supported');
  // load index in main thread
  $.getScript(joinUrl(base_url, "search/worker.js")).done(function () {
    console.log('Loaded worker');
    init();
    window.postMessage = function (msg) {       // <-- global override
      onWorkerMessage({data: msg});
    };
  }).fail(function (jqxhr, settings, exception) {
    console.error('Could not load worker.js');
  });
}

Problem

Native window.postMessage(message, targetOrigin) is the documented cross-document/iframe messaging primitive with origin-aware semantics. Replacing it globally:

• Breaks the native two-argument signature; the replacement takes one argument and ignores any target-origin contract.
• Breaks any iframe, embedded widget, browser extension, or third-party script on the same page that relies on window.postMessage for messaging.
• Can confuse other listeners that trust the native postMessage/message event semantics.
• Is permanent for the lifetime of the page once the fallback path runs.

The branch only fires when window.Worker is unsupported, which is rare on modern browsers, but the override happens unconditionally on those clients.