Support origin lock in cross-origin renderer

This adds a URL parameter to the cross-origin renderer that makes
it only accept messages from a given domain. This adds an extra
layer of security to the cross-origin iframe and is backwards
compatible in both directions.
This commit is contained in:
David Baker 2018-04-24 16:05:14 +01:00
parent 44bc60105a
commit 79c3335765

View File

@ -1,5 +1,6 @@
/* /*
Copyright 2015, 2016 OpenMarket Ltd Copyright 2015, 2016 OpenMarket Ltd
Copyright 2018 New Vector Ltd
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
@ -99,16 +100,27 @@ Tinter.registerTintable(updateTintedDownloadImage);
// overridable so that people running their own version of the client can // overridable so that people running their own version of the client can
// choose a different renderer. // choose a different renderer.
// //
// To that end the first version of the blob generation will be the following // To that end the current version of the blob generation is the following
// html: // html:
// //
// <html><head><script> // <html><head><script>
// window.onmessage=function(e){eval("("+e.data.code+")")(e)} // var params = window.location.search.substring(1).split('&');
// var lockOrigin;
// for (var i = 0; i < params.length; ++i) {
// var parts = params[i].split('=');
// if (parts[0] == 'origin') lockOrigin = decodeURIComponent(parts[1]);
// }
// window.onmessage=function(e){
// if (lockOrigin && event.origin === lockOrigin) eval("("+e.data.code+")")(e);
// }
// </script></head><body></body></html> // </script></head><body></body></html>
// //
// This waits to receive a message event sent using the window.postMessage API. // This waits to receive a message event sent using the window.postMessage API.
// When it receives the event it evals a javascript function in data.code and // When it receives the event it evals a javascript function in data.code and
// runs the function passing the event as an argument. // runs the function passing the event as an argument. This version adds
// support for a query parameter controlling the origin from which messages
// will be processed as an extra layer of security (note that the default URL
// is still 'v1' since it is backwards compatible).
// //
// In particular it means that the rendering function can be written as a // In particular it means that the rendering function can be written as a
// ordinary javascript function which then is turned into a string using // ordinary javascript function which then is turned into a string using
@ -325,6 +337,7 @@ module.exports = React.createClass({
if (this.context.appConfig && this.context.appConfig.cross_origin_renderer_url) { if (this.context.appConfig && this.context.appConfig.cross_origin_renderer_url) {
renderer_url = this.context.appConfig.cross_origin_renderer_url; renderer_url = this.context.appConfig.cross_origin_renderer_url;
} }
renderer_url += "?origin=" + encodeURIComponent(document.origin);
return ( return (
<span className="mx_MFileBody"> <span className="mx_MFileBody">
<div className="mx_MFileBody_download"> <div className="mx_MFileBody_download">