From 587e5b887ec84bc2fa913f6b10237c35e98d477b Mon Sep 17 00:00:00 2001
From: Simon Backx <simon@ghost.org>
Date: Wed, 3 Aug 2022 14:52:28 +0200
Subject: [PATCH] Added origin check to admin auth frame message listener

refs https://github.com/TryGhost/Team/issues/1694

- Only listen to messages that are coming from the auth iframe
- Related PR for the other side: https://github.com/TryGhost/Ghost/pull/15135
---
 apps/comments-ui/src/App.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/apps/comments-ui/src/App.js b/apps/comments-ui/src/App.js
index 70e799031a..e4490ab3fb 100644
--- a/apps/comments-ui/src/App.js
+++ b/apps/comments-ui/src/App.js
@@ -185,10 +185,14 @@ export default class App extends React.Component {
         const frame = document.querySelector('iframe[data-frame="admin-auth"]');
         let uid = 1;
         let handlers = {};
+        const adminOrigin = new URL(this.props.adminUrl).origin;
+
         window.addEventListener('message', function (event) {
-            if (event.origin !== '*') {
-                // return;
+            if (event.origin !== adminOrigin) {
+                // Other message that is not intended for us
+                return;
             }
+
             let data = null;
             try {
                 data = JSON.parse(event.data);