aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortoasted-nutbread <toasted-nutbread@users.noreply.github.com>2020-02-16 23:41:17 -0500
committertoasted-nutbread <toasted-nutbread@users.noreply.github.com>2020-02-16 23:41:17 -0500
commitaee16c443195ff8ab2b0f5f5e8551e44895d48a1 (patch)
tree5ce788e02d378f859848ad4e8391086b5140e7b5
parent2ace8d4ffa89d07a4fb07a410134054a1bccc431 (diff)
Check origin on window messages
-rw-r--r--ext/bg/js/settings/popup-preview-frame.js3
-rw-r--r--ext/bg/js/settings/popup-preview.js8
-rw-r--r--ext/fg/js/popup.js3
3 files changed, 10 insertions, 4 deletions
diff --git a/ext/bg/js/settings/popup-preview-frame.js b/ext/bg/js/settings/popup-preview-frame.js
index e900d4e2..890b8c96 100644
--- a/ext/bg/js/settings/popup-preview-frame.js
+++ b/ext/bg/js/settings/popup-preview-frame.js
@@ -27,6 +27,7 @@ class SettingsPopupPreview {
this.popupShown = false;
this.themeChangeTimeout = null;
this.textSource = null;
+ this._targetOrigin = chrome.runtime.getURL('/').replace(/\/$/, '');
}
static create() {
@@ -97,6 +98,8 @@ class SettingsPopupPreview {
}
onMessage(e) {
+ if (e.origin !== this._targetOrigin) { return; }
+
const {action, params} = e.data;
const handler = SettingsPopupPreview._messageHandlers.get(action);
if (typeof handler !== 'function') { return; }
diff --git a/ext/bg/js/settings/popup-preview.js b/ext/bg/js/settings/popup-preview.js
index 0d20471e..d1d2ff5e 100644
--- a/ext/bg/js/settings/popup-preview.js
+++ b/ext/bg/js/settings/popup-preview.js
@@ -40,20 +40,22 @@ function showAppearancePreview() {
window.wanakana.bind(text[0]);
+ const targetOrigin = chrome.runtime.getURL('/').replace(/\/$/, '');
+
text.on('input', () => {
const action = 'setText';
const params = {text: text.val()};
- frame.contentWindow.postMessage({action, params}, '*');
+ frame.contentWindow.postMessage({action, params}, targetOrigin);
});
customCss.on('input', () => {
const action = 'setCustomCss';
const params = {css: customCss.val()};
- frame.contentWindow.postMessage({action, params}, '*');
+ frame.contentWindow.postMessage({action, params}, targetOrigin);
});
customOuterCss.on('input', () => {
const action = 'setCustomOuterCss';
const params = {css: customOuterCss.val()};
- frame.contentWindow.postMessage({action, params}, '*');
+ frame.contentWindow.postMessage({action, params}, targetOrigin);
});
container.append(frame);
diff --git a/ext/fg/js/popup.js b/ext/fg/js/popup.js
index 59c46ab8..900e7325 100644
--- a/ext/fg/js/popup.js
+++ b/ext/fg/js/popup.js
@@ -33,6 +33,7 @@ class Popup {
this._options = null;
this._contentScale = 1.0;
this._containerSizeContentScale = null;
+ this._targetOrigin = chrome.runtime.getURL('/').replace(/\/$/, '');
this._container = document.createElement('iframe');
this._container.className = 'yomichan-float';
@@ -349,7 +350,7 @@ class Popup {
_invokeApi(action, params={}) {
if (this._container.contentWindow) {
- this._container.contentWindow.postMessage({action, params}, '*');
+ this._container.contentWindow.postMessage({action, params}, this._targetOrigin);
}
}