aboutsummaryrefslogtreecommitdiff
path: root/ext/fg/js/popup.js
diff options
context:
space:
mode:
authortoasted-nutbread <toasted-nutbread@users.noreply.github.com>2020-02-17 11:02:21 -0500
committertoasted-nutbread <toasted-nutbread@users.noreply.github.com>2020-02-17 11:02:21 -0500
commit0f46e3a093e7f0c07ad310d8c17e2582bdfd2741 (patch)
tree63318e3ce1ac19a32bc96e29f3b9b9477853993b /ext/fg/js/popup.js
parentaee16c443195ff8ab2b0f5f5e8551e44895d48a1 (diff)
Use a token to ensure that messages are coming from Yomichan
Diffstat (limited to 'ext/fg/js/popup.js')
-rw-r--r--ext/fg/js/popup.js15
1 files changed, 11 insertions, 4 deletions
diff --git a/ext/fg/js/popup.js b/ext/fg/js/popup.js
index 900e7325..4927f4bd 100644
--- a/ext/fg/js/popup.js
+++ b/ext/fg/js/popup.js
@@ -16,7 +16,7 @@
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
-/*global apiInjectStylesheet*/
+/*global apiInjectStylesheet, apiGetMessageToken*/
class Popup {
constructor(id, depth, frameIdPromise) {
@@ -34,6 +34,7 @@ class Popup {
this._contentScale = 1.0;
this._containerSizeContentScale = null;
this._targetOrigin = chrome.runtime.getURL('/').replace(/\/$/, '');
+ this._messageToken = null;
this._container = document.createElement('iframe');
this._container.className = 'yomichan-float';
@@ -198,6 +199,10 @@ class Popup {
// NOP
}
+ if (this._messageToken === null) {
+ this._messageToken = await apiGetMessageToken();
+ }
+
return new Promise((resolve) => {
const parentFrameId = (typeof this._frameId === 'number' ? this._frameId : null);
this._container.setAttribute('src', chrome.runtime.getURL('/fg/float.html'));
@@ -349,9 +354,11 @@ class Popup {
}
_invokeApi(action, params={}) {
- if (this._container.contentWindow) {
- this._container.contentWindow.postMessage({action, params}, this._targetOrigin);
- }
+ const token = this._messageToken;
+ const contentWindow = this._container.contentWindow;
+ if (token === null || contentWindow === null) { return; }
+
+ contentWindow.postMessage({action, params, token}, this._targetOrigin);
}
static _getFullscreenElement() {