From d57a0dec641730f298851b364c34373ce08d8d2c Mon Sep 17 00:00:00 2001 From: "J. Ryan Stinnett" Date: Fri, 12 Jul 2019 19:18:30 +0100 Subject: [PATCH] Use URL to parse IM origins This allows the configuration for `integrations_ui_url` to be more flexible. In particular, it no longer matters whether you include a trailing slash after the port, for example. --- src/ScalarMessaging.js | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/src/ScalarMessaging.js b/src/ScalarMessaging.js index ca58acf00e..5cc187268a 100644 --- a/src/ScalarMessaging.js +++ b/src/ScalarMessaging.js @@ -546,11 +546,21 @@ const onMessage = function(event) { // This means the URL could contain a path (like /develop) and still be used // to validate event origins, which do not specify paths. // (See https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) - // - // All strings start with the empty string, so for sanity return if the length - // of the event origin is 0. - const url = SdkConfig.get().integrations_ui_url; - if (event.origin.length === 0 || !url.startsWith(event.origin + '/')) { + let configUrl; + try { + configUrl = new URL(SdkConfig.get().integrations_ui_url); + } catch (e) { + // No integrations UI URL, ignore silently. + return; + } + let eventOriginUrl; + try { + eventOriginUrl = new URL(event.origin); + } catch (e) { + console.warn(`Message from IM with unparsable origin ${event.origin} ignored`); + return; + } + if (configUrl.origin !== eventOriginUrl.origin) { console.warn(`Message from IM with invalid origin ${event.origin} ignored`); return; }