notes plugin only listens for same-origin postmessages to prevent xss

2022-05-12 22:07:48 +02:00
parent 4b6ac46cde
commit 3dade61176
9 changed files with 36 additions and 21 deletions
--- a/plugin/notes/speaker-view.html
+++ b/plugin/notes/speaker-view.html
@ -380,14 +380,8 @@
 				var connectionTimeout = setTimeout( function() {
 					connectionStatus.innerHTML = 'Error connecting to main window.<br>Please try closing and reopening the speaker view.';
 				}, 5000 );
-;
-				window.addEventListener( 'message', function( event ) {

-					// Validate the origin of all messages to avoid parsing messages
-					// that aren't meant for us
-					if( window.location.origin !== event.origin ) {
-						return;
-					}
+				window.addEventListener( 'message', function( event ) {

 					clearTimeout( connectionTimeout );
 					connectionStatus.style.display = 'none';