From b9e6b660a73263f3a1b50af615109c07e8eb545b Mon Sep 17 00:00:00 2001 From: DecentM Date: Sat, 6 Jan 2018 12:38:20 +0100 Subject: [PATCH] feature: event origin whitelisting --- content/install-hook-openusercss.js | 37 +++++++++++++++++++---------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/content/install-hook-openusercss.js b/content/install-hook-openusercss.js index 374a8428..2f77584d 100644 --- a/content/install-hook-openusercss.js +++ b/content/install-hook-openusercss.js @@ -2,15 +2,25 @@ (() => { const manifest = chrome.runtime.getManifest(); + const allowedOrigins = [ + 'https://openusercss.org', + 'https://openusercss.com' + ]; // Tell the page that we exist and that it should send the handshake - window.postMessage({ - 'type': 'ouc-begin-handshake' - }, '*'); + allowedOrigins.forEach(origin => { + window.postMessage({ + 'type': 'ouc-begin-handshake' + }, origin); + }); // Wait for the handshake window.addEventListener('message', event => { - if (event.data && event.data.type === 'ouc-handshake-question') { + if ( + event.data + && event.data.type === 'ouc-handshake-question' + && allowedOrigins.includes(event.origin) + ) { // This is a representation of features that Stylus is capable of const implementedFeatures = [ 'install-usercss', @@ -44,15 +54,16 @@ // We send the handshake response, which includes the key we got, plus some // additional metadata - window.postMessage({ - 'type': 'ouc-handshake-response', - 'key': event.data.key, - 'extension': { - 'name': manifest.name, - 'version': manifest.version, - 'capabilities': reportedFeatures - } - }, '*'); + allowedOrigins.forEach(origin => { + window.postMessage({ + 'type': 'ouc-handshake-response', + 'key': event.data.key, + 'extension': { + 'name': manifest.name, + 'capabilities': reportedFeatures + } + }, origin); + }); } }); })();