mirror of
https://github.com/electron/electron.git
synced 2026-04-10 03:01:51 -04:00
fix: enforce parent-child relationship in custom postMessage() handler (#21528)
This commit is contained in:
committed by
Shelley Vohr
parent
3b557bcf2e
commit
7f0bbd27b1
@@ -282,6 +282,13 @@ const handleMessage = function (channel, handler) {
|
||||
})
|
||||
}
|
||||
|
||||
const securityCheck = function (contents, guestContents, check) {
|
||||
if (!check(contents, guestContents)) {
|
||||
console.error(`Blocked ${contents.getURL()} from accessing guestId: ${guestContents.id}`)
|
||||
throw new Error(`Access denied to guestId: ${guestContents.id}`)
|
||||
}
|
||||
}
|
||||
|
||||
const windowMethods = new Set([
|
||||
'destroy',
|
||||
'focus',
|
||||
@@ -289,10 +296,7 @@ const windowMethods = new Set([
|
||||
])
|
||||
|
||||
handleMessage('ELECTRON_GUEST_WINDOW_MANAGER_WINDOW_METHOD', (event, guestContents, method, ...args) => {
|
||||
if (!canAccessWindow(event.sender, guestContents)) {
|
||||
console.error(`Blocked ${event.sender.getURL()} from accessing guestId: ${guestContents.id}`)
|
||||
throw new Error(`Access denied to guestId: ${guestContents.id}`)
|
||||
}
|
||||
securityCheck(event.sender, guestContents, canAccessWindow)
|
||||
|
||||
if (!windowMethods.has(method)) {
|
||||
console.error(`Blocked ${event.sender.getURL()} from calling method: ${method}`)
|
||||
@@ -310,6 +314,8 @@ handleMessage('ELECTRON_GUEST_WINDOW_MANAGER_WINDOW_POSTMESSAGE', (event, guestC
|
||||
// The W3C does not seem to have word on how postMessage should work when the
|
||||
// origins do not match, so we do not do |canAccessWindow| check here since
|
||||
// postMessage across origins is useful and not harmful.
|
||||
securityCheck(event.sender, guestContents, isRelatedWindow)
|
||||
|
||||
if (targetOrigin === '*' || isSameOrigin(guestContents.getURL(), targetOrigin)) {
|
||||
const sourceId = event.sender.id
|
||||
guestContents._sendInternal('ELECTRON_GUEST_WINDOW_POSTMESSAGE', sourceId, message, sourceOrigin)
|
||||
@@ -324,10 +330,7 @@ const webContentsMethods = new Set([
|
||||
])
|
||||
|
||||
handleMessage('ELECTRON_GUEST_WINDOW_MANAGER_WEB_CONTENTS_METHOD', (event, guestContents, method, ...args) => {
|
||||
if (!canAccessWindow(event.sender, guestContents)) {
|
||||
console.error(`Blocked ${event.sender.getURL()} from accessing guestId: ${guestContents.id}`)
|
||||
throw new Error(`Access denied to guestId: ${guestContents.id}`)
|
||||
}
|
||||
securityCheck(event.sender, guestContents, canAccessWindow)
|
||||
|
||||
if (!webContentsMethods.has(method)) {
|
||||
console.error(`Blocked ${event.sender.getURL()} from calling method: ${method}`)
|
||||
|
||||
Reference in New Issue
Block a user