[media] Check origin of messages #1643
Conversation
dayo09
force-pushed
the
0915-check-origin
branch
2 times, most recently
from
a28fe3d to
1fa31fb
Compare
| if (window.origin !== event.origin) { | ||
| console.log("Unexpected Origin: ", event.origin); | ||
| return; | ||
| } |
There was a problem hiding this comment.
@seanshpark I noticed that there is a potential security problem from Verify the origin of the received message.
I assumed that the messages are coming from the window's origin, would it be okay for CircleGraph?
There was a problem hiding this comment.
I'm not sure about technical background of this, but I think event itself would be coming from vscode process(? or thread?, the node-js).
And not sure about the fix but if this has no problem loading the model, I think it would be OK.
There was a problem hiding this comment.
I agree this changes because this is a similar solution from sonarsource.com.
https://rules.sonarsource.com/javascript/RSPEC-2819/
window.addEventListener("message", function(event) {
if (event.origin !== "http://example.org") // Compliant
return;
console.log(event.data)
});
There was a problem hiding this comment.
@jyoungyun I actually referred that solution :-D
|
@jyoungyun PTAL :-D (Should I Pr this drafts at once or separately?) |
|
@dayo09 Could you update the commit title so that there is no |
This commit checks origin of messages in event handlers ONE-vscode-DCO-1.0-Signed-off-by: Dayoung Lee <[email protected]>
dayo09
force-pushed
the
0915-check-origin
branch
from
1fa31fb to
26f1122
Compare
dayo09
changed the title
This commit checks origin of messages in event handlers
ONE-vscode-DCO-1.0-Signed-off-by: Dayoung Lee [email protected]
For #1624 (comment)