security: post OAuth token to webapps using file protocol

When client is loaded from file oauth can't be used because location.hostname is null. So we fallback by using postMessage API, instead of parsing the token page. Test could have been done on location.hostname, but for security concerns only file:// protocol is whitelisted It was tested on Tizen5 on TM1. Change-Id: I42af71ae822491150c019cff9688356b1a0e2532 Bug: #1149 Origin: https://github.com/tizenteam/gateway Signed-off-by: Philippe Coval <p.coval@samsung.com>
WebThingsIO · Aug 3, 2018 · 3689ead · 3689ead
1 parent d9b639c
commit 3689ead
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/src/views/local-token-service.mustache b/src/views/local-token-service.mustache
@@ -123,6 +123,15 @@ let text = client.get("<span class="origin">https://gateway.local</span>/things"
         </div>
       </div>
     </section>
+    <script>
+/* postToken to client apps if any */
+if (window.location.protocol === "file:") {
+  window.addEventListener("message", function(ev) {
+    if (ev.data.message === "token") {
+      ev.source.postMessage({ message: { token: "{{token}}" }}, "*");
+    }
+});
+    </script>
   </body>
 </html>