Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-02-03 23:00:14 -05:00
Code Issues Activity

Added origin check to admin auth frame message listener

Browse source 
refs https://github.com/TryGhost/Team/issues/1694

- Only listen to messages that are coming from the auth iframe
- Related PR for the other side: https://github.com/TryGhost/Ghost/pull/15135
This commit is contained in:
Simon Backx 2022-08-03 14:52:28 +02:00
parent 14a9fab688
commit 587e5b887e
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
apps/comments-ui/src/App.js
View file

@ -185,10 +185,14 @@ export default class App extends React.Component {
const frame = document.querySelector('iframe[data-frame="admin-auth"]');
let uid = 1;
let handlers = {};
const adminOrigin = new URL(this.props.adminUrl).origin;
window.addEventListener('message', function (event) {
if (event.origin !== '*') {
// return;
if (event.origin !== adminOrigin) {
// Other message that is not intended for us
return;
}
let data = null;
try {
data = JSON.parse(event.data);