From b399ff6be4be7c12033524141a8b51412183dcb8 Mon Sep 17 00:00:00 2001
From: Philippe Coval <p.coval@samsung.com>
Date: Fri, 29 Jun 2018 09:31:28 +0200
Subject: [PATCH] security: post OAuth token to webapps using file protocol

When client is loaded from file oauth can't be used
because location.hostname is null.

So we fallback by using postMessage API,
instead of parsing the token page.

Test could have been done on location.hostname,
but for security concerns only file:// protocol is whitelisted

It was tested on Tizen5 on TM1.

Change-Id: I42af71ae822491150c019cff9688356b1a0e2532
Bug: https://github.com/mozilla-iot/gateway/pull/1149
Origin: https://github.com/tizenteam/gateway
Signed-off-by: Philippe Coval <p.coval@samsung.com>
---
 src/views/local-token-service.mustache | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/views/local-token-service.mustache b/src/views/local-token-service.mustache
index 31f2f593f..112922be2 100644
--- a/src/views/local-token-service.mustache
+++ b/src/views/local-token-service.mustache
@@ -123,6 +123,15 @@ let text = client.get("<span class="origin">https://gateway.local</span>/things"
         </div>
       </div>
     </section>
+    <script>
+/* postToken to client apps if any */
+if (window.location.protocol === "file:") {
+  window.addEventListener("message", function(ev) {
+    if (ev.data.message === "token") {
+      ev.source.postMessage({ message: { token: "{{token}}" }}, "*");
+    }
+});
+    </script>
   </body>
 </html>