Use URL to parse IM origins
This allows the configuration for `integrations_ui_url` to be more flexible. In particular, it no longer matters whether you include a trailing slash after the port, for example.
This commit is contained in:
parent
dc9b5fa996
commit
d57a0dec64
1 changed files with 15 additions and 5 deletions
|
@ -546,11 +546,21 @@ const onMessage = function(event) {
|
|||
// This means the URL could contain a path (like /develop) and still be used
|
||||
// to validate event origins, which do not specify paths.
|
||||
// (See https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage)
|
||||
//
|
||||
// All strings start with the empty string, so for sanity return if the length
|
||||
// of the event origin is 0.
|
||||
const url = SdkConfig.get().integrations_ui_url;
|
||||
if (event.origin.length === 0 || !url.startsWith(event.origin + '/')) {
|
||||
let configUrl;
|
||||
try {
|
||||
configUrl = new URL(SdkConfig.get().integrations_ui_url);
|
||||
} catch (e) {
|
||||
// No integrations UI URL, ignore silently.
|
||||
return;
|
||||
}
|
||||
let eventOriginUrl;
|
||||
try {
|
||||
eventOriginUrl = new URL(event.origin);
|
||||
} catch (e) {
|
||||
console.warn(`Message from IM with unparsable origin ${event.origin} ignored`);
|
||||
return;
|
||||
}
|
||||
if (configUrl.origin !== eventOriginUrl.origin) {
|
||||
console.warn(`Message from IM with invalid origin ${event.origin} ignored`);
|
||||
return;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue