From aee16c443195ff8ab2b0f5f5e8551e44895d48a1 Mon Sep 17 00:00:00 2001
From: toasted-nutbread <toasted-nutbread@users.noreply.github.com>
Date: Sun, 16 Feb 2020 23:41:17 -0500
Subject: Check origin on window messages

---
 ext/fg/js/popup.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'ext/fg/js')

diff --git a/ext/fg/js/popup.js b/ext/fg/js/popup.js
index 59c46ab8..900e7325 100644
--- a/ext/fg/js/popup.js
+++ b/ext/fg/js/popup.js
@@ -33,6 +33,7 @@ class Popup {
         this._options = null;
         this._contentScale = 1.0;
         this._containerSizeContentScale = null;
+        this._targetOrigin = chrome.runtime.getURL('/').replace(/\/$/, '');
 
         this._container = document.createElement('iframe');
         this._container.className = 'yomichan-float';
@@ -349,7 +350,7 @@ class Popup {
 
     _invokeApi(action, params={}) {
         if (this._container.contentWindow) {
-            this._container.contentWindow.postMessage({action, params}, '*');
+            this._container.contentWindow.postMessage({action, params}, this._targetOrigin);
         }
     }
 
-- 
cgit v1.2.3