notes plugin only listens for same-origin postmessages to prevent xss
parent
4b6ac46cde
commit
3dade61176
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
@ -4,7 +4,7 @@ export const HORIZONTAL_SLIDES_SELECTOR = '.slides>section';
|
|||
export const VERTICAL_SLIDES_SELECTOR = '.slides>section.present>section';
|
||||
|
||||
// Methods that may not be invoked via the postMessage API
|
||||
export const POST_MESSAGE_METHOD_BLACKLIST = /registerPlugin|registerKeyboardShortcut|addKeyBinding|addEventListener/;
|
||||
export const POST_MESSAGE_METHOD_BLACKLIST = /registerPlugin|registerKeyboardShortcut|addKeyBinding|addEventListener|showPreview/;
|
||||
|
||||
// Regex for retrieving the fragment style from a class attribute
|
||||
export const FRAGMENT_STYLE_REGEX = /fade-(down|up|right|left|out|in-then-out|in-then-semi-out)|semi-fade-out|current-visible|shrink|grow/;
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
@ -151,15 +151,36 @@ const Plugin = () => {
|
|||
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the given event is from the same origin as the
|
||||
* current window.
|
||||
*/
|
||||
function isSameOriginEvent( event ) {
|
||||
|
||||
try {
|
||||
return window.location.origin === event.source.location.origin;
|
||||
}
|
||||
catch ( error ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
function onPostMessage( event ) {
|
||||
|
||||
let data = JSON.parse( event.data );
|
||||
if( data && data.namespace === 'reveal-notes' && data.type === 'connected' ) {
|
||||
clearInterval( connectInterval );
|
||||
onConnected();
|
||||
}
|
||||
else if( data && data.namespace === 'reveal-notes' && data.type === 'call' ) {
|
||||
callRevealApi( data.methodName, data.arguments, data.callId );
|
||||
// Only allow same-origin messages
|
||||
// (added 12/5/22 as a XSS safeguard)
|
||||
if( isSameOriginEvent( event ) ) {
|
||||
|
||||
let data = JSON.parse( event.data );
|
||||
if( data && data.namespace === 'reveal-notes' && data.type === 'connected' ) {
|
||||
clearInterval( connectInterval );
|
||||
onConnected();
|
||||
}
|
||||
else if( data && data.namespace === 'reveal-notes' && data.type === 'call' ) {
|
||||
callRevealApi( data.methodName, data.arguments, data.callId );
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -380,14 +380,8 @@
|
|||
var connectionTimeout = setTimeout( function() {
|
||||
connectionStatus.innerHTML = 'Error connecting to main window.<br>Please try closing and reopening the speaker view.';
|
||||
}, 5000 );
|
||||
;
|
||||
window.addEventListener( 'message', function( event ) {
|
||||
|
||||
// Validate the origin of all messages to avoid parsing messages
|
||||
// that aren't meant for us
|
||||
if( window.location.origin !== event.origin ) {
|
||||
return;
|
||||
}
|
||||
window.addEventListener( 'message', function( event ) {
|
||||
|
||||
clearTimeout( connectionTimeout );
|
||||
connectionStatus.style.display = 'none';
|
||||
|
|
Loading…
Reference in New Issue