apply strict controls for postMessage and tighten up blob CSP

pull/1/head
ansuz 3 years ago
parent 06f75f7769
commit c0b379b535

@ -18,7 +18,7 @@ Default.commonCSP = function (domain, sandbox) {
*/ */
"child-src 'self' blob: " + domain + sandbox, "child-src 'self' blob: " + domain + sandbox,
// IE/Edge // IE/Edge
"frame-src 'self' blob: " + domain + sandbox, `frame-src 'self' blob:${sandbox}/* blob:${domain}/* ${domain} ${sandbox}`,
/* this allows connections over secure or insecure websockets /* this allows connections over secure or insecure websockets
if you are deploying to production, you'll probably want to remove if you are deploying to production, you'll probably want to remove

@ -1361,7 +1361,7 @@ define([
msgEv.fire(msg); msgEv.fire(msg);
}); });
var postMsg = function (data) { var postMsg = function (data) {
iframe.postMessage(data, '*'); iframe.postMessage(data, ApiConfig.httpSafeOrigin);
}; };
Channel.create(msgEv, postMsg, function (chan) { Channel.create(msgEv, postMsg, function (chan) {
APP.chan = chan; APP.chan = chan;

@ -1,8 +1,9 @@
// This file provides the API for the channel for talking to and from the sandbox iframe. // This file provides the API for the channel for talking to and from the sandbox iframe.
define([ define([
//'/common/sframe-protocol.js', //'/common/sframe-protocol.js',
'/common/common-util.js' '/common/common-util.js',
], function (/*SFrameProtocol,*/ Util) { '/api/config',
], function (/*SFrameProtocol,*/ Util, ApiConfig) {
var mkTxid = function () { var mkTxid = function () {
return Math.random().toString(16).replace('0.', '') + Math.random().toString(16).replace('0.', ''); return Math.random().toString(16).replace('0.', '') + Math.random().toString(16).replace('0.', '');
@ -156,9 +157,17 @@ define([
}); });
}; };
var trusted = [
ApiConfig.httpUnsafeOrigin,
ApiConfig.httpSafeOrigin,
'', // sharedworkers
];
onMsg.reg(function (msg) { onMsg.reg(function (msg) {
if (!chanLoaded) { return; } if (!chanLoaded) { return; }
if (!msg.data || msg.data === '_READY') { return; } if (!msg.data || msg.data === '_READY') { return; }
if (!trusted.includes(msg.origin)) { return; }
var data = typeof(msg.data) === "object" ? msg.data : JSON.parse(msg.data); var data = typeof(msg.data) === "object" ? msg.data : JSON.parse(msg.data);
if (typeof(data.ack) !== "undefined") { if (typeof(data.ack) !== "undefined") {
if (acks[data.txid]) { acks[data.txid](!data.ack); } if (acks[data.txid]) { acks[data.txid](!data.ack); }

@ -170,7 +170,7 @@ define([
var iframe = $('#sbox-iframe')[0].contentWindow; var iframe = $('#sbox-iframe')[0].contentWindow;
var postMsg = function (data) { var postMsg = function (data) {
try { try {
iframe.postMessage(data, '*'); iframe.postMessage(data, ApiConfig.httpSafeOrigin || window.location.origin);
} catch (err) { } catch (err) {
console.error(err, data); console.error(err, data);
if (data && data.error && data.error instanceof Error) { if (data && data.error && data.error instanceof Error) {

@ -762,7 +762,7 @@ define([
msgEv.fire(msg); msgEv.fire(msg);
}); });
var postMsg = function (data) { var postMsg = function (data) {
iframe.postMessage(data, '*'); iframe.postMessage(data, ApiConfig.httpUnsafeOrigin);
}; };
SFrameChannel.create(msgEv, postMsg, waitFor(function (sfc) { ctx.sframeChan = sfc; })); SFrameChannel.create(msgEv, postMsg, waitFor(function (sfc) { ctx.sframeChan = sfc; }));
}).nThen(function (waitFor) { }).nThen(function (waitFor) {

@ -57,7 +57,7 @@ define([
var msgEv = Utils.Util.mkEvent(); var msgEv = Utils.Util.mkEvent();
var iframe = $('#sbox-secure-iframe')[0].contentWindow; var iframe = $('#sbox-secure-iframe')[0].contentWindow;
var postMsg = function (data) { var postMsg = function (data) {
iframe.postMessage(data, '*'); iframe.postMessage(data, ApiConfig.httpSafeOrigin);
}; };
var w = waitFor(); var w = waitFor();
var whenReady = function (msg) { var whenReady = function (msg) {

@ -60,7 +60,7 @@ define([
var msgEv = Utils.Util.mkEvent(); var msgEv = Utils.Util.mkEvent();
var iframe = $('#sbox-unsafe-iframe')[0].contentWindow; var iframe = $('#sbox-unsafe-iframe')[0].contentWindow;
var postMsg = function (data) { var postMsg = function (data) {
iframe.postMessage(data, '*'); iframe.postMessage(data, ApiConfig.httpUnsafeOrigin);
}; };
var w = waitFor(); var w = waitFor();
var whenReady = function (msg) { var whenReady = function (msg) {

Loading…
Cancel
Save