django-oidc-provider/oidc_provider/templates/oidc_provider/check_session_iframe.html

{% load staticfiles %}

<html lang="en">
    <head>
        <meta charset="utf-8">
        <title>OP Iframe</title>
        <script src="{% static 'oidc_provider/js/sha256.min.js' %}"></script>
        <script language="JavaScript" type="text/javascript">
            window.addEventListener("message", receiveMessage, false);

            function receiveMessage(e) {
                if (!e.data || typeof e.data != 'string' || e.data == 'error') {
                    return;
                }

                var status;
                try {
                    var clientId = e.data.split(' ')[0];
                    var sessionState = e.data.split(' ')[1];
                    var salt = sessionState.split('.')[1];

                    var browserState = getOpBrowserState();

                    var sessionStateCalculated = sha256(clientId + ' ' + e.origin + ' ' + browserState + ' ' + salt) + '.' + salt;

                    if (sessionState == sessionStateCalculated) {
                        status = 'unchanged';
                    } else {
                        status = 'changed';
                    }
                } catch(err) {
                    status = 'error';
                }
                e.source.postMessage(status, e.origin);
            };

            function getOpBrowserState() {
                var theName = 'op_browser_state=';
                var theCookie = document.cookie + ';';
                var start = theCookie.indexOf(theName);
                if (start != -1)
                {
                    var end = theCookie.indexOf(';', start);
                    return unescape(theCookie.substring(start + theName.length, end));
                }
                throw new Error('We couldn\'t find the "op_browser_state" cookie.');
            }
        </script>
    </head>
    <body>
        OpenID Connect Session Management OP Iframe.
    </body>
</html>
Initial Session Management version. 2016-10-28 18:25:52 +00:00			`{% load staticfiles %}`

			`<html lang="en">`
			`<head>`
			`<meta charset="utf-8">`
			`<title>OP Iframe</title>`
			`<script src="{% static 'oidc_provider/js/sha256.min.js' %}"></script>`
			`<script language="JavaScript" type="text/javascript">`
			`window.addEventListener("message", receiveMessage, false);`

			`function receiveMessage(e) {`
Fixed infinite callback loop in check-session iframe This commit fixes the JS callback defined in the check-session iframe which can produce infinite callback loops if the received message doesn't come from the relying party. In that case another message is posted to the source of the message (which can be the OP itself) thus resulting in an infinite loop because "error" messages are continuously generated by the callback function. 2018-03-28 14:34:01 +00:00			`if (!e.data \|\| typeof e.data != 'string' \|\| e.data == 'error') {`
			`return;`
			`}`

Initial Session Management version. 2016-10-28 18:25:52 +00:00			`var status;`
			`try {`
			`var clientId = e.data.split(' ')[0];`
			`var sessionState = e.data.split(' ')[1];`
			`var salt = sessionState.split('.')[1];`

			`var browserState = getOpBrowserState();`

			`var sessionStateCalculated = sha256(clientId + ' ' + e.origin + ' ' + browserState + ' ' + salt) + '.' + salt;`

			`if (sessionState == sessionStateCalculated) {`
			`status = 'unchanged';`
			`} else {`
			`status = 'changed';`
			`}`
			`} catch(err) {`
			`status = 'error';`
			`}`
			`e.source.postMessage(status, e.origin);`
			`};`

			`function getOpBrowserState() {`
			`var theName = 'op_browser_state=';`
			`var theCookie = document.cookie + ';';`
			`var start = theCookie.indexOf(theName);`
			`if (start != -1)`
			`{`
			`var end = theCookie.indexOf(';', start);`
			`return unescape(theCookie.substring(start + theName.length, end));`
			`}`
			`throw new Error('We couldn\'t find the "op_browser_state" cookie.');`
			`}`
			`</script>`
			`</head>`
			`<body>`
			`OpenID Connect Session Management OP Iframe.`
			`</body>`
			`</html>`