✨ [RUMF-1237] The event bridge allowed hosts should also match subdom…

…ains (#1499)
DataDog · Apr 15, 2022 · 59693a2 · 59693a2
1 parent d2c96ea
commit 59693a2
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 10 deletions.
diff --git a/packages/core/src/transport/eventBridge.spec.ts b/packages/core/src/transport/eventBridge.spec.ts
@@ -9,16 +9,26 @@ describe('canUseEventBridge', () => {
   })
 
   it('should detect when the bridge is present and the webView host is allowed', () => {
-    initEventBridgeStub()
-    expect(canUseEventBridge()).toBeTrue()
-  })
-
-  it('should not detect when the bridge is absent', () => {
-    expect(canUseEventBridge()).toBeFalse()
+    initEventBridgeStub(allowedWebViewHosts)
+    expect(canUseEventBridge('foo.bar')).toBeTrue()
+    expect(canUseEventBridge('baz.foo.bar')).toBeTrue()
+    expect(canUseEventBridge('www.foo.bar')).toBeTrue()
+    expect(canUseEventBridge('www.qux.foo.bar')).toBeTrue()
   })
 
   it('should not detect when the bridge is present and the webView host is not allowed', () => {
     initEventBridgeStub(allowedWebViewHosts)
+    expect(canUseEventBridge('foo.com')).toBeFalse()
+    expect(canUseEventBridge('foo.bar.baz')).toBeFalse()
+    expect(canUseEventBridge('bazfoo.bar')).toBeFalse()
+  })
+
+  it('should not detect when the bridge on the parent domain if only the subdomain is allowed', () => {
+    initEventBridgeStub(['baz.foo.bar'])
+    expect(canUseEventBridge('foo.bar')).toBeFalse()
+  })
+
+  it('should not detect when the bridge is absent', () => {
     expect(canUseEventBridge()).toBeFalse()
   })
 })

diff --git a/packages/core/src/transport/eventBridge.ts b/packages/core/src/transport/eventBridge.ts
@@ -1,4 +1,4 @@
-import { getGlobalObject, includes } from '..'
+import { getGlobalObject } from '..'
 
 export interface BrowserWindowWithEventBridge extends Window {
   DatadogEventBridge?: DatadogEventBridge
@@ -26,10 +26,16 @@ export function getEventBridge<T, E>() {
   }
 }
 
-export function canUseEventBridge(): boolean {
+export function canUseEventBridge(hostname = getGlobalObject<Window>().location?.hostname): boolean {
   const bridge = getEventBridge()
-
-  return !!bridge && includes(bridge.getAllowedWebViewHosts(), window.location.hostname)
+  return (
+    !!bridge &&
+    bridge.getAllowedWebViewHosts().some((host) => {
+      const escapedHost = host.replace(/\./g, '\\.')
+      const isDomainOrSubDomain = new RegExp(`^(.+\\.)*${escapedHost}$`)
+      return isDomainOrSubDomain.test(hostname)
+    })
+  )
 }
 
 function getEventBridgeGlobal() {