Added origin verification to postMessage usage.

author Dan Brown <redacted>

Mon, 24 May 2021 23:05:20 +0000 (00:05 +0100)

committer Dan Brown <redacted>

Mon, 24 May 2021 23:05:20 +0000 (00:05 +0100)
author Dan Brown <redacted>
Mon, 24 May 2021 23:05:20 +0000 (00:05 +0100)
committer Dan Brown <redacted>
Mon, 24 May 2021 23:05:20 +0000 (00:05 +0100)
diff --git a/resources/js/services/drawio.js b/resources/js/services/drawio.js

index 17e57cd6b9165d567aa09f48197ea95e8b62551f..6e22919fb4d230556d99b6ce6a4382f077866af4 100644 (file)
--- a/resources/js/services/drawio.js
+++ b/resources/js/services/drawio.js
@@ -1,5 +1,5 @@
  let iFrame = null;
-
+let lastApprovedOrigin;
  let onInit, onSave;
  
  /**
@@ -19,15 +19,22 @@ function show(drawioUrl, onInitCallback, onSaveCallback) {
      iFrame.setAttribute('class', 'fullscreen');
      iFrame.style.backgroundColor = '#FFFFFF';
      document.body.appendChild(iFrame);
+    lastApprovedOrigin = (new URL(drawioUrl)).origin;
  }
  
  function close() {
      drawEventClose();
  }
  
+/**
+ * Receive and handle a message event from the draw.io window.
+ * @param {MessageEvent} event
+ */
  function drawReceive(event) {
      if (!event.data || event.data.length < 1) return;
-    let message = JSON.parse(event.data);
+    if (event.origin !== lastApprovedOrigin) return;
+
+    const message = JSON.parse(event.data);
      if (message.event === 'init') {
          drawEventInit();
      } else if (message.event === 'exit') {
@@ -62,7 +69,7 @@ function drawEventClose() {
  }
  
  function drawPostMessage(data) {
-    iFrame.contentWindow.postMessage(JSON.stringify(data), '*');
+    iFrame.contentWindow.postMessage(JSON.stringify(data), lastApprovedOrigin);
  }
  
  async function upload(imageData, pageUploadedToId) {
author	Dan Brown <redacted>
	Mon, 24 May 2021 23:05:20 +0000 (00:05 +0100)
committer	Dan Brown <redacted>
	Mon, 24 May 2021 23:05:20 +0000 (00:05 +0100)