From afa5ee4c820818ce5523820f8c8605a1d79a1661 Mon Sep 17 00:00:00 2001 From: Duane Nykamp Date: Mon, 20 Jan 2025 22:05:13 -0600 Subject: [PATCH] add more location checks to message listener (#281) * remove allowSaveSubmissions flag --- .../src/iframe-viewer-index.ts | 3 +++ packages/doenetml-iframe/src/index.tsx | 9 ++++--- packages/doenetml-worker/src/Core.js | 4 +-- .../src/test/utils/test-core.ts | 2 -- .../src/EditorViewer/EditorViewer.tsx | 1 - packages/doenetml/src/Viewer/DocViewer.tsx | 3 +++ .../src/Viewer/renderers/codeViewer.jsx | 1 - packages/doenetml/src/doenetml.tsx | 6 ----- .../e2e/DocViewer/docViewerAttributes.cy.js | 3 +++ packages/test-cypress/src/CypressTest.tsx | 27 ------------------- packages/test-viewer/src/main.jsx | 4 +++ packages/test-viewer/src/test/testViewer.tsx | 1 - 12 files changed, 20 insertions(+), 44 deletions(-) diff --git a/packages/doenetml-iframe/src/iframe-viewer-index.ts b/packages/doenetml-iframe/src/iframe-viewer-index.ts index 3b94a3051..f53deee46 100644 --- a/packages/doenetml-iframe/src/iframe-viewer-index.ts +++ b/packages/doenetml-iframe/src/iframe-viewer-index.ts @@ -54,6 +54,9 @@ document.addEventListener("DOMContentLoaded", () => { // forward all SPLICE messages that aren't a response to parent window.addEventListener("message", (e) => { + if (e.origin !== window.parent.location.origin) { + return; + } if ( e.data.subject.startsWith("SPLICE") && !e.data.subject.endsWith("response") diff --git a/packages/doenetml-iframe/src/index.tsx b/packages/doenetml-iframe/src/index.tsx index ea419011a..f5453cd62 100644 --- a/packages/doenetml-iframe/src/index.tsx +++ b/packages/doenetml-iframe/src/index.tsx @@ -145,15 +145,16 @@ export function DoenetViewer({ React.useEffect(() => { const listener = (event: MessageEvent) => { + if (event.origin !== window.location.origin) { + return; + } + // forward response from SPLICE getState to iframe if (event.data.subject === "SPLICE.getState.response") { ref.current?.contentWindow?.postMessage(event.data); return; } - if ( - event.origin !== window.location.origin || - event.data?.origin !== id - ) { + if (event.data?.origin !== id) { return; } diff --git a/packages/doenetml-worker/src/Core.js b/packages/doenetml-worker/src/Core.js index cca9b2872..6dbf04073 100644 --- a/packages/doenetml-worker/src/Core.js +++ b/packages/doenetml-worker/src/Core.js @@ -13023,8 +13023,8 @@ export default class Core { async recordSolutionView() { // TODO: check if student was actually allowed to view solution. - // if not allowed to save submissions, then allow view but don't record it - if (!this.flags.allowSaveSubmissions) { + // if not allowed to save state, then allow view but don't record it + if (!this.flags.allowSaveState) { return { allowView: true, message: "", diff --git a/packages/doenetml-worker/src/test/utils/test-core.ts b/packages/doenetml-worker/src/test/utils/test-core.ts index 841594a32..8161f28a5 100644 --- a/packages/doenetml-worker/src/test/utils/test-core.ts +++ b/packages/doenetml-worker/src/test/utils/test-core.ts @@ -14,7 +14,6 @@ type DoenetMLFlags = { allowLoadState: boolean; allowSaveState: boolean; allowLocalState: boolean; - allowSaveSubmissions: boolean; allowSaveEvents: boolean; autoSubmit: boolean; }; @@ -30,7 +29,6 @@ const defaultFlags: DoenetMLFlags = { allowLoadState: false, allowSaveState: false, allowLocalState: false, - allowSaveSubmissions: false, allowSaveEvents: false, autoSubmit: false, }; diff --git a/packages/doenetml/src/EditorViewer/EditorViewer.tsx b/packages/doenetml/src/EditorViewer/EditorViewer.tsx index 20e4d5e68..a9ee38a3c 100644 --- a/packages/doenetml/src/EditorViewer/EditorViewer.tsx +++ b/packages/doenetml/src/EditorViewer/EditorViewer.tsx @@ -484,7 +484,6 @@ export function EditorViewer({ allowLoadState: false, allowSaveState: false, allowLocalState: false, - allowSaveSubmissions: false, allowSaveEvents: false, readOnly: false, }} diff --git a/packages/doenetml/src/Viewer/DocViewer.tsx b/packages/doenetml/src/Viewer/DocViewer.tsx index 24fffcb64..a52f8aec2 100644 --- a/packages/doenetml/src/Viewer/DocViewer.tsx +++ b/packages/doenetml/src/Viewer/DocViewer.tsx @@ -449,6 +449,9 @@ export function DocViewer({ useEffect(() => { window.addEventListener("message", (e) => { + if (e.origin !== window.location.origin) { + return; + } if (typeof e.data !== "object") { return; } diff --git a/packages/doenetml/src/Viewer/renderers/codeViewer.jsx b/packages/doenetml/src/Viewer/renderers/codeViewer.jsx index 86cf3720b..1059a0acc 100644 --- a/packages/doenetml/src/Viewer/renderers/codeViewer.jsx +++ b/packages/doenetml/src/Viewer/renderers/codeViewer.jsx @@ -141,7 +141,6 @@ export default React.memo(function CodeViewer(props) { allowLoadState: false, allowSaveState: false, allowLocalState: false, - allowSaveSubmissions: false, allowSaveEvents: false, }} activityId={id} diff --git a/packages/doenetml/src/doenetml.tsx b/packages/doenetml/src/doenetml.tsx index 6db946f94..7861a7207 100644 --- a/packages/doenetml/src/doenetml.tsx +++ b/packages/doenetml/src/doenetml.tsx @@ -25,7 +25,6 @@ export type DoenetMLFlags = { allowLoadState: boolean; allowSaveState: boolean; allowLocalState: boolean; - allowSaveSubmissions: boolean; allowSaveEvents: boolean; autoSubmit: boolean; }; @@ -41,7 +40,6 @@ export const defaultFlags: DoenetMLFlags = { allowLoadState: false, allowSaveState: false, allowLocalState: false, - allowSaveSubmissions: false, allowSaveEvents: false, autoSubmit: false, }; @@ -183,10 +181,6 @@ export function DoenetViewer({ // and disable even looking up state from local storage (as we want to get the state from the database) flags.allowLocalState = false; flags.allowSaveState = false; - } else if (flags.allowSaveState) { - // allowSaveState implies allowLoadState - // Rationale: saving state will result in loading a new state if another device changed it - flags.allowLoadState = true; } const generatedVariantCallback = useCallback( diff --git a/packages/test-cypress/cypress/e2e/DocViewer/docViewerAttributes.cy.js b/packages/test-cypress/cypress/e2e/DocViewer/docViewerAttributes.cy.js index b6b8773bc..0db13aa9b 100644 --- a/packages/test-cypress/cypress/e2e/DocViewer/docViewerAttributes.cy.js +++ b/packages/test-cypress/cypress/e2e/DocViewer/docViewerAttributes.cy.js @@ -10,6 +10,9 @@ describe("PageViewer Attribute Tests", function () { let allPossibleVariants = null; function variantsListener(e) { + if (e.origin !== window.location.origin) { + return; + } if (e.data.subject === "SPLICE.allPossibleVariants") { allPossibleVariants = e.data.args.allPossibleVariants; } diff --git a/packages/test-cypress/src/CypressTest.tsx b/packages/test-cypress/src/CypressTest.tsx index 6751e17b9..f1db446a3 100644 --- a/packages/test-cypress/src/CypressTest.tsx +++ b/packages/test-cypress/src/CypressTest.tsx @@ -15,7 +15,6 @@ export function CypressTest() { allowLoadState: boolean; allowSaveState: boolean; allowLocalState: boolean; - allowSaveSubmissions: boolean; allowSaveEvents: boolean; autoSubmit: boolean; render: boolean; @@ -33,7 +32,6 @@ export function CypressTest() { allowLoadState: false, allowSaveState: false, allowLocalState: false, - allowSaveSubmissions: false, allowSaveEvents: false, autoSubmit: false, render: true, @@ -82,9 +80,6 @@ export function CypressTest() { const [allowLocalState, setAllowLocalState] = useState( testSettings.allowLocalState, ); - const [allowSaveSubmissions, setAllowSaveSubmissions] = useState( - testSettings.allowSaveSubmissions, - ); const [allowSaveEvents, setAllowSaveEvents] = useState( testSettings.allowSaveEvents, ); @@ -343,27 +338,6 @@ export function CypressTest() { Allow Local Page State -
- -