new attempt at speaker view xss fix

chilit-nl · May 12, 2022 · 4b6ac46 · 4b6ac46
1 parent 0ca3897
commit 4b6ac46
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 10 deletions.
diff --git a/plugin/notes/notes.esm.js b/plugin/notes/notes.esm.js
diff --git a/plugin/notes/notes.js b/plugin/notes/notes.js
diff --git a/plugin/notes/plugin.js b/plugin/notes/plugin.js
@@ -1,4 +1,4 @@
-import speakerViewHTML from './speaker-view.html';
+import speakerViewHTML from './speaker-view.html'
 
 import { marked } from 'marked';
 

diff --git a/plugin/notes/speaker-view.html b/plugin/notes/speaker-view.html
@@ -350,8 +350,9 @@ <h4 class="label">Notes</h4>
 					layoutDropdown,
 					pendingCalls = {},
 					lastRevealApiCallId = 0,
-					connected = false,
-					whitelistedWindows = [window.opener];
+					connected = false
+
+				var connectionStatus = document.querySelector( '#connection-status' );
 
 				var SPEAKER_LAYOUTS = {
 					'default': 'Default',
@@ -362,15 +363,29 @@ <h4 class="label">Notes</h4>
 
 				setupLayout();
 
-				var connectionStatus = document.querySelector( '#connection-status' );
+				let openerOrigin;
+
+				try {
+					openerOrigin = window.opener.location.origin;
+				}
+				catch ( error ) { console.warn( error ) }
+
+				// In order to prevent XSS, the speaker view will only run if its
+				// opener has the same origin as itself
+				if( window.location.origin !== openerOrigin ) {
+					connectionStatus.innerHTML = 'Cross origin error.<br>The speaker window can only be opened from the same origin.';
+					return;
+				}
+
 				var connectionTimeout = setTimeout( function() {
 					connectionStatus.innerHTML = 'Error connecting to main window.<br>Please try closing and reopening the speaker view.';
 				}, 5000 );
 ;
 				window.addEventListener( 'message', function( event ) {
 
-					// Validate the origin of this message to prevent XSS
-					if( window.location.origin !== event.origin && whitelistedWindows.indexOf( event.source ) === -1 ) {
+					// Validate the origin of all messages to avoid parsing messages
+					// that aren't meant for us
+					if( window.location.origin !== event.origin ) {
 						return;
 					}
 
@@ -539,8 +554,6 @@ <h4 class="label">Notes</h4>
 					upcomingSlide.setAttribute( 'src', upcomingURL );
 					document.querySelector( '#upcoming-slide' ).appendChild( upcomingSlide );
 
-					whitelistedWindows.push( currentSlide.contentWindow, upcomingSlide.contentWindow );
-
 				}
 
 				/**