new attempt at speaker view xss fix

This commit is contained in:
hakimel 2022-05-12 14:53:40 +02:00
parent 0ca389721c
commit 4b6ac46cde
4 changed files with 23 additions and 10 deletions

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

View File

@ -1,4 +1,4 @@
import speakerViewHTML from './speaker-view.html';
import speakerViewHTML from './speaker-view.html'
import { marked } from 'marked';

View File

@ -350,8 +350,9 @@
layoutDropdown,
pendingCalls = {},
lastRevealApiCallId = 0,
connected = false,
whitelistedWindows = [window.opener];
connected = false
var connectionStatus = document.querySelector( '#connection-status' );
var SPEAKER_LAYOUTS = {
'default': 'Default',
@ -362,15 +363,29 @@
setupLayout();
var connectionStatus = document.querySelector( '#connection-status' );
let openerOrigin;
try {
openerOrigin = window.opener.location.origin;
}
catch ( error ) { console.warn( error ) }
// In order to prevent XSS, the speaker view will only run if its
// opener has the same origin as itself
if( window.location.origin !== openerOrigin ) {
connectionStatus.innerHTML = 'Cross origin error.<br>The speaker window can only be opened from the same origin.';
return;
}
var connectionTimeout = setTimeout( function() {
connectionStatus.innerHTML = 'Error connecting to main window.<br>Please try closing and reopening the speaker view.';
}, 5000 );
;
window.addEventListener( 'message', function( event ) {
// Validate the origin of this message to prevent XSS
if( window.location.origin !== event.origin && whitelistedWindows.indexOf( event.source ) === -1 ) {
// Validate the origin of all messages to avoid parsing messages
// that aren't meant for us
if( window.location.origin !== event.origin ) {
return;
}
@ -539,8 +554,6 @@
upcomingSlide.setAttribute( 'src', upcomingURL );
document.querySelector( '#upcoming-slide' ).appendChild( upcomingSlide );
whitelistedWindows.push( currentSlide.contentWindow, upcomingSlide.contentWindow );
}
/**