Kraut.World/server
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fixing scripting origin check

Browse source 
When working on making the openCoWebsite URL relative, we introduced a regression.
In production, the iframe generated by "script" properties have no "src" and therefore, were treated as invalid messages.

This should fix everything in prod.
This commit is contained in:
David Négrier 2021-06-07 16:48:52 +02:00
parent 311c74584c
commit b03ee5bd53
1 changed files with 17 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

18
front/src/Api/IframeListener.ts
View file

@ -70,16 +70,24 @@ class IframeListener {
// Do we trust the sender of this message? // Do we trust the sender of this message?
// Let's only accept messages from the iframe that are allowed. // Let's only accept messages from the iframe that are allowed.
// Note: maybe we could restrict on the domain too for additional security (in case the iframe goes to another domain). // Note: maybe we could restrict on the domain too for additional security (in case the iframe goes to another domain).
let foundSrc: string | null = null; let foundSrc: string | undefined;
foundSrc = [...this.scripts.keys()].find(key => {
return this.scripts.get(key)?.contentWindow == message.source
});
if (foundSrc === undefined) {
for (const iframe of this.iframes) { for (const iframe of this.iframes) {
if (iframe.contentWindow === message.source) { if (iframe.contentWindow === message.source) {
foundSrc = iframe.src; foundSrc = iframe.src;
break; break;
} }
} }
if (!foundSrc) {
if (foundSrc === undefined) {
return; return;
} }
}
const payload = message.data; const payload = message.data;
if (isIframeEventWrapper(payload)) { if (isIframeEventWrapper(payload)) {
@ -106,11 +114,7 @@ class IframeListener {
this._loadSoundStream.next(payload.data); this._loadSoundStream.next(payload.data);
} }
else if (payload.type === 'openCoWebSite' && isOpenCoWebsite(payload.data)) { else if (payload.type === 'openCoWebSite' && isOpenCoWebsite(payload.data)) {
const scriptUrl = [...this.scripts.keys()].find(key => { scriptUtils.openCoWebsite(payload.data.url, foundSrc);
return this.scripts.get(key)?.contentWindow == message.source
})
scriptUtils.openCoWebsite(payload.data.url, scriptUrl || foundSrc);
} }
else if (payload.type === 'closeCoWebSite') { else if (payload.type === 'closeCoWebSite') {