diff --git a/packages/webview_flutter/webview_flutter_web/lib/src/web_webview_controller.dart b/packages/webview_flutter/webview_flutter_web/lib/src/web_webview_controller.dart
index eaff98930bb9..e861d3c1f9e8 100644
--- a/packages/webview_flutter/webview_flutter_web/lib/src/web_webview_controller.dart
+++ b/packages/webview_flutter/webview_flutter_web/lib/src/web_webview_controller.dart
@@ -29,7 +29,7 @@ class WebWebViewControllerCreationParams
     // ignore: avoid_unused_constructor_parameters
     PlatformWebViewControllerCreationParams params, {
     @visibleForTesting
-        HttpRequestFactory httpRequestFactory = const HttpRequestFactory(),
+    HttpRequestFactory httpRequestFactory = const HttpRequestFactory(),
   }) : this(httpRequestFactory: httpRequestFactory);
 
   static int _nextIFrameId = 0;
@@ -118,8 +118,35 @@ class WebWebViewController extends PlatformWebViewController {
   ) async {
     void handler(html.Event event) {
       if (event is html.MessageEvent) {
+        final String? iFrameSrc = _webWebViewParams.iFrame.src;
+        if (event.origin.isEmpty || iFrameSrc == null) {
+          return;
+        }
+
+        // Security check
+        if (!iFrameSrc.startsWith(event.origin)) {
+          return;
+        }
+
+        if (event.data == null || event.data is! Map) {
+          return;
+        }
+
+        // ignore: avoid_dynamic_calls
+        final String? channelName = event.data['channel'] as String?;
+        if (channelName != javaScriptChannelParams.name) {
+          return;
+        }
+
+        // ignore: avoid_dynamic_calls
+        final String? message = event.data['message'] as String?;
+        if (message == null) {
+          return;
+        }
+
         javaScriptChannelParams.onMessageReceived(
-            JavaScriptMessage(message: event.data.toString()));
+          JavaScriptMessage(message: message),
+        );
       }
     }