From dc9b5fa996d448f484a0a61bed2c8a52ba47b58e Mon Sep 17 00:00:00 2001 From: "J. Ryan Stinnett" Date: Fri, 12 Jul 2019 19:04:20 +0100 Subject: [PATCH 1/3] Log when integration manager origin is invalid --- src/ScalarMessaging.js | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/ScalarMessaging.js b/src/ScalarMessaging.js index fa7b8c5b76..ca58acf00e 100644 --- a/src/ScalarMessaging.js +++ b/src/ScalarMessaging.js @@ -549,13 +549,14 @@ const onMessage = function(event) { // // All strings start with the empty string, so for sanity return if the length // of the event origin is 0. - // + const url = SdkConfig.get().integrations_ui_url; + if (event.origin.length === 0 || !url.startsWith(event.origin + '/')) { + console.warn(`Message from IM with invalid origin ${event.origin} ignored`); + return; + } // TODO -- Scalar postMessage API should be namespaced with event.data.api field // Fix following "if" statement to respond only to specific API messages. - const url = SdkConfig.get().integrations_ui_url; if ( - event.origin.length === 0 || - !url.startsWith(event.origin + '/') || !event.data.action || event.data.api // Ignore messages with specific API set ) { From d57a0dec641730f298851b364c34373ce08d8d2c Mon Sep 17 00:00:00 2001 From: "J. Ryan Stinnett" Date: Fri, 12 Jul 2019 19:18:30 +0100 Subject: [PATCH 2/3] Use URL to parse IM origins This allows the configuration for `integrations_ui_url` to be more flexible. In particular, it no longer matters whether you include a trailing slash after the port, for example. --- src/ScalarMessaging.js | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/src/ScalarMessaging.js b/src/ScalarMessaging.js index ca58acf00e..5cc187268a 100644 --- a/src/ScalarMessaging.js +++ b/src/ScalarMessaging.js @@ -546,11 +546,21 @@ const onMessage = function(event) { // This means the URL could contain a path (like /develop) and still be used // to validate event origins, which do not specify paths. // (See https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) - // - // All strings start with the empty string, so for sanity return if the length - // of the event origin is 0. - const url = SdkConfig.get().integrations_ui_url; - if (event.origin.length === 0 || !url.startsWith(event.origin + '/')) { + let configUrl; + try { + configUrl = new URL(SdkConfig.get().integrations_ui_url); + } catch (e) { + // No integrations UI URL, ignore silently. + return; + } + let eventOriginUrl; + try { + eventOriginUrl = new URL(event.origin); + } catch (e) { + console.warn(`Message from IM with unparsable origin ${event.origin} ignored`); + return; + } + if (configUrl.origin !== eventOriginUrl.origin) { console.warn(`Message from IM with invalid origin ${event.origin} ignored`); return; } From 60adbdc2eb37cd592ec756268bfbb43766257442 Mon Sep 17 00:00:00 2001 From: "J. Ryan Stinnett" Date: Wed, 17 Jul 2019 09:42:04 +0100 Subject: [PATCH 3/3] Remove logging of origin mismatch --- src/ScalarMessaging.js | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/src/ScalarMessaging.js b/src/ScalarMessaging.js index 5cc187268a..8b87650929 100644 --- a/src/ScalarMessaging.js +++ b/src/ScalarMessaging.js @@ -557,20 +557,18 @@ const onMessage = function(event) { try { eventOriginUrl = new URL(event.origin); } catch (e) { - console.warn(`Message from IM with unparsable origin ${event.origin} ignored`); - return; - } - if (configUrl.origin !== eventOriginUrl.origin) { - console.warn(`Message from IM with invalid origin ${event.origin} ignored`); return; } // TODO -- Scalar postMessage API should be namespaced with event.data.api field // Fix following "if" statement to respond only to specific API messages. if ( + configUrl.origin !== eventOriginUrl.origin || !event.data.action || event.data.api // Ignore messages with specific API set ) { - return; // don't log this - debugging APIs like to spam postMessage which floods the log otherwise + // don't log this - debugging APIs and browser add-ons like to spam + // postMessage which floods the log otherwise + return; } if (event.data.action === "close_scalar") {