new attempt at speaker view xss fix
This commit is contained in:
parent
0ca389721c
commit
4b6ac46cde
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@ -1,4 +1,4 @@
|
|||||||
import speakerViewHTML from './speaker-view.html';
|
import speakerViewHTML from './speaker-view.html'
|
||||||
|
|
||||||
import { marked } from 'marked';
|
import { marked } from 'marked';
|
||||||
|
|
||||||
|
@ -350,8 +350,9 @@
|
|||||||
layoutDropdown,
|
layoutDropdown,
|
||||||
pendingCalls = {},
|
pendingCalls = {},
|
||||||
lastRevealApiCallId = 0,
|
lastRevealApiCallId = 0,
|
||||||
connected = false,
|
connected = false
|
||||||
whitelistedWindows = [window.opener];
|
|
||||||
|
var connectionStatus = document.querySelector( '#connection-status' );
|
||||||
|
|
||||||
var SPEAKER_LAYOUTS = {
|
var SPEAKER_LAYOUTS = {
|
||||||
'default': 'Default',
|
'default': 'Default',
|
||||||
@ -362,15 +363,29 @@
|
|||||||
|
|
||||||
setupLayout();
|
setupLayout();
|
||||||
|
|
||||||
var connectionStatus = document.querySelector( '#connection-status' );
|
let openerOrigin;
|
||||||
|
|
||||||
|
try {
|
||||||
|
openerOrigin = window.opener.location.origin;
|
||||||
|
}
|
||||||
|
catch ( error ) { console.warn( error ) }
|
||||||
|
|
||||||
|
// In order to prevent XSS, the speaker view will only run if its
|
||||||
|
// opener has the same origin as itself
|
||||||
|
if( window.location.origin !== openerOrigin ) {
|
||||||
|
connectionStatus.innerHTML = 'Cross origin error.<br>The speaker window can only be opened from the same origin.';
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
var connectionTimeout = setTimeout( function() {
|
var connectionTimeout = setTimeout( function() {
|
||||||
connectionStatus.innerHTML = 'Error connecting to main window.<br>Please try closing and reopening the speaker view.';
|
connectionStatus.innerHTML = 'Error connecting to main window.<br>Please try closing and reopening the speaker view.';
|
||||||
}, 5000 );
|
}, 5000 );
|
||||||
;
|
;
|
||||||
window.addEventListener( 'message', function( event ) {
|
window.addEventListener( 'message', function( event ) {
|
||||||
|
|
||||||
// Validate the origin of this message to prevent XSS
|
// Validate the origin of all messages to avoid parsing messages
|
||||||
if( window.location.origin !== event.origin && whitelistedWindows.indexOf( event.source ) === -1 ) {
|
// that aren't meant for us
|
||||||
|
if( window.location.origin !== event.origin ) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -539,8 +554,6 @@
|
|||||||
upcomingSlide.setAttribute( 'src', upcomingURL );
|
upcomingSlide.setAttribute( 'src', upcomingURL );
|
||||||
document.querySelector( '#upcoming-slide' ).appendChild( upcomingSlide );
|
document.querySelector( '#upcoming-slide' ).appendChild( upcomingSlide );
|
||||||
|
|
||||||
whitelistedWindows.push( currentSlide.contentWindow, upcomingSlide.contentWindow );
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
Loading…
Reference in New Issue
Block a user