From a35a2ca67ea4ea21e609938feb82f5b7a8f26561 Mon Sep 17 00:00:00 2001 From: azu Date: Fri, 25 Jun 2021 18:43:13 +0900 Subject: [PATCH] fix(webextension): prevent to send/receive message from other origin --- packages/webextension/app/scripts/contentScript.ts | 2 +- packages/webextension/app/scripts/pageScript.ts | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/packages/webextension/app/scripts/contentScript.ts b/packages/webextension/app/scripts/contentScript.ts index aef532e..4e6476e 100644 --- a/packages/webextension/app/scripts/contentScript.ts +++ b/packages/webextension/app/scripts/contentScript.ts @@ -48,7 +48,7 @@ window.addEventListener("message", (event) => { direction: "from-content-script", result }, - "*" + window.location.origin ); }); } diff --git a/packages/webextension/app/scripts/pageScript.ts b/packages/webextension/app/scripts/pageScript.ts index 513d285..4e14c8b 100644 --- a/packages/webextension/app/scripts/pageScript.ts +++ b/packages/webextension/app/scripts/pageScript.ts @@ -8,6 +8,11 @@ const commandHandler = (command: string, args: any): Promise => { return new Promise((resolve) => { logger.log("[PageScript]", command, args); const listener = (message: MessageEvent) => { + // prevent to receive message from other origin + // ContentScript send message from current page's origin + if (message.origin !== window.location.origin) { + return; + } if ( message.data && message.data.direction === "from-content-script" && @@ -25,7 +30,7 @@ const commandHandler = (command: string, args: any): Promise => { direction: "from-page-script", nonRandomKey }, - "*" + window.location.origin ); }); }; @@ -46,7 +51,6 @@ const isIgnored = ({ text, message }: { text: string; message: TextlintMessage } const lintEngine: LintEngineAPI = { async lintText({ text }) { const results = await commandHandler>("lintText", { text }); - logger.log("results", results); return results.map((result) => { return { filePath: result.filePath,