Make the targetOrigin argument non-optional. "*" would mean "don't care" while anything else would specify an origin (or result in a syntax error). If this is done, it's no longer possible to have time-of-check/time-of-use issues (in the async case) without the web developer explicitly choosing to do so. This change shouldn't be any more than 5-10 lines, and fixing existing testcases to adjust for this change is straightforward.
Jeff P.S. -- The work needed to make the change I note above is substantially less than the work needed for an async postMessage. I did a trial implementation+test fixup for async postMessage in <https://bugzilla.mozilla.org/show_bug.cgi?id=430251>. I found my implementation added roughly 40 more lines of code -- not great but not too bad. Far more substantially, adjusting tests to the change, particularly tests looking to perform numerous steps in a particular sequence, was slow and painful. My conclusions are that back-and-forth communication with async postMessage is substantially harder than it is with sync postMessage, while async postMessage is moderately more difficult to implement than sync postMessage.
