Hello, I ask you to check the information below, because I think this issue may be crucial for some developers and users. Maybe it is possible to block adding the message event listener from Google Chrome console. 

VULNERABILITY DETAILS
I found out that I can send a malicious scripts into the window, that was openned via var wnd = window.open(); In the openned window console I can add the event listener, that will listen to the message event and execute some code, that I write. 
Accordin to the postMessage security advices, message event callback has to check the origin and (possibly) source of the parent and only when this properties are checked, callback should execute program logic.
But if I add message event through the child window console, then I can omit all the checks and inject some malicous script. 

VERSION
Chrome Version: [50.0.2661.102]
Operating System: Windows 10

REPRODUCTION CASE
/*Window A script*/
var wnd = widow.open('http://some-url.com', '_blank', 'some wnd');

/*Window B script after the open 
write this code in the console */
window.addEventListener('message', function() { document.write(event.data) });

/*Window A script after the window B openned*/
wnd.postMessage('<script>(function myMalicouscode() { })()</script>', 'http://some-url.com');