From c0b379b5355c05555d48891092ee04a33a5bbac8 Mon Sep 17 00:00:00 2001 From: ansuz Date: Fri, 11 Feb 2022 19:22:03 +0530 Subject: [PATCH] apply strict controls for postMessage and tighten up blob CSP --- lib/defaults.js | 2 +- www/common/onlyoffice/inner.js | 2 +- www/common/outer/worker-channel.js | 13 +++++++++++-- www/common/sframe-common-outer.js | 2 +- www/common/sframe-common.js | 2 +- www/secureiframe/main.js | 2 +- www/unsafeiframe/main.js | 2 +- 7 files changed, 17 insertions(+), 8 deletions(-) diff --git a/lib/defaults.js b/lib/defaults.js index f43253ccb..3f1ac0bda 100644 --- a/lib/defaults.js +++ b/lib/defaults.js @@ -18,7 +18,7 @@ Default.commonCSP = function (domain, sandbox) { */ "child-src 'self' blob: " + domain + sandbox, // IE/Edge - "frame-src 'self' blob: " + domain + sandbox, + `frame-src 'self' blob:${sandbox}/* blob:${domain}/* ${domain} ${sandbox}`, /* this allows connections over secure or insecure websockets if you are deploying to production, you'll probably want to remove diff --git a/www/common/onlyoffice/inner.js b/www/common/onlyoffice/inner.js index 041ddd685..547ef6c9d 100644 --- a/www/common/onlyoffice/inner.js +++ b/www/common/onlyoffice/inner.js @@ -1361,7 +1361,7 @@ define([ msgEv.fire(msg); }); var postMsg = function (data) { - iframe.postMessage(data, '*'); + iframe.postMessage(data, ApiConfig.httpSafeOrigin); }; Channel.create(msgEv, postMsg, function (chan) { APP.chan = chan; diff --git a/www/common/outer/worker-channel.js b/www/common/outer/worker-channel.js index 06b38a96b..73d0327da 100644 --- a/www/common/outer/worker-channel.js +++ b/www/common/outer/worker-channel.js @@ -1,8 +1,9 @@ // This file provides the API for the channel for talking to and from the sandbox iframe. define([ //'/common/sframe-protocol.js', - '/common/common-util.js' -], function (/*SFrameProtocol,*/ Util) { + '/common/common-util.js', + '/api/config', +], function (/*SFrameProtocol,*/ Util, ApiConfig) { var mkTxid = function () { return Math.random().toString(16).replace('0.', '') + Math.random().toString(16).replace('0.', ''); @@ -156,9 +157,17 @@ define([ }); }; + var trusted = [ + ApiConfig.httpUnsafeOrigin, + ApiConfig.httpSafeOrigin, + '', // sharedworkers + ]; + onMsg.reg(function (msg) { if (!chanLoaded) { return; } if (!msg.data || msg.data === '_READY') { return; } + if (!trusted.includes(msg.origin)) { return; } + var data = typeof(msg.data) === "object" ? msg.data : JSON.parse(msg.data); if (typeof(data.ack) !== "undefined") { if (acks[data.txid]) { acks[data.txid](!data.ack); } diff --git a/www/common/sframe-common-outer.js b/www/common/sframe-common-outer.js index a86eac425..7351a2485 100644 --- a/www/common/sframe-common-outer.js +++ b/www/common/sframe-common-outer.js @@ -170,7 +170,7 @@ define([ var iframe = $('#sbox-iframe')[0].contentWindow; var postMsg = function (data) { try { - iframe.postMessage(data, '*'); + iframe.postMessage(data, ApiConfig.httpSafeOrigin || window.location.origin); } catch (err) { console.error(err, data); if (data && data.error && data.error instanceof Error) { diff --git a/www/common/sframe-common.js b/www/common/sframe-common.js index 5ec215df5..8f97ba265 100644 --- a/www/common/sframe-common.js +++ b/www/common/sframe-common.js @@ -762,7 +762,7 @@ define([ msgEv.fire(msg); }); var postMsg = function (data) { - iframe.postMessage(data, '*'); + iframe.postMessage(data, ApiConfig.httpUnsafeOrigin); }; SFrameChannel.create(msgEv, postMsg, waitFor(function (sfc) { ctx.sframeChan = sfc; })); }).nThen(function (waitFor) { diff --git a/www/secureiframe/main.js b/www/secureiframe/main.js index 7f88ff79e..8c33a2ff1 100644 --- a/www/secureiframe/main.js +++ b/www/secureiframe/main.js @@ -57,7 +57,7 @@ define([ var msgEv = Utils.Util.mkEvent(); var iframe = $('#sbox-secure-iframe')[0].contentWindow; var postMsg = function (data) { - iframe.postMessage(data, '*'); + iframe.postMessage(data, ApiConfig.httpSafeOrigin); }; var w = waitFor(); var whenReady = function (msg) { diff --git a/www/unsafeiframe/main.js b/www/unsafeiframe/main.js index 603133f12..afc6553b7 100644 --- a/www/unsafeiframe/main.js +++ b/www/unsafeiframe/main.js @@ -60,7 +60,7 @@ define([ var msgEv = Utils.Util.mkEvent(); var iframe = $('#sbox-unsafe-iframe')[0].contentWindow; var postMsg = function (data) { - iframe.postMessage(data, '*'); + iframe.postMessage(data, ApiConfig.httpUnsafeOrigin); }; var w = waitFor(); var whenReady = function (msg) {