mirror of
https://github.com/vector-im/element-web.git
synced 2024-11-17 14:05:04 +08:00
Support origin lock in cross-origin renderer
This adds a URL parameter to the cross-origin renderer that makes it only accept messages from a given domain. This adds an extra layer of security to the cross-origin iframe and is backwards compatible in both directions.
This commit is contained in:
parent
44bc60105a
commit
79c3335765
@ -1,5 +1,6 @@
|
|||||||
/*
|
/*
|
||||||
Copyright 2015, 2016 OpenMarket Ltd
|
Copyright 2015, 2016 OpenMarket Ltd
|
||||||
|
Copyright 2018 New Vector Ltd
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
you may not use this file except in compliance with the License.
|
you may not use this file except in compliance with the License.
|
||||||
@ -99,16 +100,27 @@ Tinter.registerTintable(updateTintedDownloadImage);
|
|||||||
// overridable so that people running their own version of the client can
|
// overridable so that people running their own version of the client can
|
||||||
// choose a different renderer.
|
// choose a different renderer.
|
||||||
//
|
//
|
||||||
// To that end the first version of the blob generation will be the following
|
// To that end the current version of the blob generation is the following
|
||||||
// html:
|
// html:
|
||||||
//
|
//
|
||||||
// <html><head><script>
|
// <html><head><script>
|
||||||
// window.onmessage=function(e){eval("("+e.data.code+")")(e)}
|
// var params = window.location.search.substring(1).split('&');
|
||||||
|
// var lockOrigin;
|
||||||
|
// for (var i = 0; i < params.length; ++i) {
|
||||||
|
// var parts = params[i].split('=');
|
||||||
|
// if (parts[0] == 'origin') lockOrigin = decodeURIComponent(parts[1]);
|
||||||
|
// }
|
||||||
|
// window.onmessage=function(e){
|
||||||
|
// if (lockOrigin && event.origin === lockOrigin) eval("("+e.data.code+")")(e);
|
||||||
|
// }
|
||||||
// </script></head><body></body></html>
|
// </script></head><body></body></html>
|
||||||
//
|
//
|
||||||
// This waits to receive a message event sent using the window.postMessage API.
|
// This waits to receive a message event sent using the window.postMessage API.
|
||||||
// When it receives the event it evals a javascript function in data.code and
|
// When it receives the event it evals a javascript function in data.code and
|
||||||
// runs the function passing the event as an argument.
|
// runs the function passing the event as an argument. This version adds
|
||||||
|
// support for a query parameter controlling the origin from which messages
|
||||||
|
// will be processed as an extra layer of security (note that the default URL
|
||||||
|
// is still 'v1' since it is backwards compatible).
|
||||||
//
|
//
|
||||||
// In particular it means that the rendering function can be written as a
|
// In particular it means that the rendering function can be written as a
|
||||||
// ordinary javascript function which then is turned into a string using
|
// ordinary javascript function which then is turned into a string using
|
||||||
@ -325,6 +337,7 @@ module.exports = React.createClass({
|
|||||||
if (this.context.appConfig && this.context.appConfig.cross_origin_renderer_url) {
|
if (this.context.appConfig && this.context.appConfig.cross_origin_renderer_url) {
|
||||||
renderer_url = this.context.appConfig.cross_origin_renderer_url;
|
renderer_url = this.context.appConfig.cross_origin_renderer_url;
|
||||||
}
|
}
|
||||||
|
renderer_url += "?origin=" + encodeURIComponent(document.origin);
|
||||||
return (
|
return (
|
||||||
<span className="mx_MFileBody">
|
<span className="mx_MFileBody">
|
||||||
<div className="mx_MFileBody_download">
|
<div className="mx_MFileBody_download">
|
||||||
|
Loading…
Reference in New Issue
Block a user