Skip to content

Commit

Permalink
fix: check the source when handling events (#671)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jinoosss
jinoosss authored Jan 30, 2025
1 parent 38f089a commit c987a23
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 16 deletions.
35 changes: 20 additions & 15 deletions packages/adena-extension/src/content.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,9 @@ const sendMessage = (event: MessageEvent): void => {
const message = event.data;
chrome.runtime.sendMessage(message, (response) => {
Promise.resolve(response).then((result) => {
event.source?.postMessage(result);
event.source?.postMessage(result, {
targetOrigin: event.origin,
});
});
return true;
});
Expand All @@ -21,21 +23,24 @@ const loadScript = (): void => {
};

const initListener = (): void => {
window.addEventListener(
'message',
(event) => {
try {
if (event.data?.status === 'request') {
sendMessage(event);
} else {
return event.data;
}
} catch (e) {
console.error(e);
const listener = (event: MessageEvent): void => {
if (event.origin !== window.location.origin) {
console.warn(`Untrusted origin: ${event.origin}`);
return;
}

try {
if (event.data?.status === 'request') {
sendMessage(event);
} else {
return event.data;
}
},
false,
);
} catch (e) {
console.error(e);
}
};

window.addEventListener('message', listener, false);
};

const initExtensionListener = (): void => {
Expand Down
8 changes: 7 additions & 1 deletion packages/adena-extension/src/inject/executor/executor.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,8 @@ export class AdenaExecutor {
hostname: window.location.hostname,
key: this.eventKey,
};
window.postMessage(this.eventMessage, '*');

window.postMessage(this.eventMessage, window.location.origin);
this.messages[this.eventKey] = {
request: this.eventMessage,
response: undefined,
Expand Down Expand Up @@ -201,6 +202,11 @@ export class AdenaExecutor {
};

private messageHandler = (event: MessageEvent<InjectionMessage>): void => {
if (event.origin !== window.location.origin) {
console.warn(`Untrusted origin: ${event.origin}`);
return;
}

const eventData = event.data;
if (eventData.status) {
const { key, status, data, code, message, type } = eventData;
Expand Down

0 comments on commit c987a23

Please sign in to comment.