From 79c3335765eb9aee0376349076c05ec5c69df580 Mon Sep 17 00:00:00 2001 From: David Baker Date: Tue, 24 Apr 2018 16:05:14 +0100 Subject: [PATCH] Support origin lock in cross-origin renderer This adds a URL parameter to the cross-origin renderer that makes it only accept messages from a given domain. This adds an extra layer of security to the cross-origin iframe and is backwards compatible in both directions. --- src/components/views/messages/MFileBody.js | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/src/components/views/messages/MFileBody.js b/src/components/views/messages/MFileBody.js index 90efe24df3..fbce53e07a 100644 --- a/src/components/views/messages/MFileBody.js +++ b/src/components/views/messages/MFileBody.js @@ -1,5 +1,6 @@ /* Copyright 2015, 2016 OpenMarket Ltd +Copyright 2018 New Vector Ltd Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -99,16 +100,27 @@ Tinter.registerTintable(updateTintedDownloadImage); // overridable so that people running their own version of the client can // choose a different renderer. // -// To that end the first version of the blob generation will be the following +// To that end the current version of the blob generation is the following // html: // // // // This waits to receive a message event sent using the window.postMessage API. // When it receives the event it evals a javascript function in data.code and -// runs the function passing the event as an argument. +// runs the function passing the event as an argument. This version adds +// support for a query parameter controlling the origin from which messages +// will be processed as an extra layer of security (note that the default URL +// is still 'v1' since it is backwards compatible). // // In particular it means that the rendering function can be written as a // ordinary javascript function which then is turned into a string using @@ -325,6 +337,7 @@ module.exports = React.createClass({ if (this.context.appConfig && this.context.appConfig.cross_origin_renderer_url) { renderer_url = this.context.appConfig.cross_origin_renderer_url; } + renderer_url += "?origin=" + encodeURIComponent(document.origin); return (