Check origins on webview messaging

2021-08-23 12:58:46 -07:00 · 2021-08-23 12:58:46 -07:00 · 22bd3b66dd
parent 68be11c73c
commit 22bd3b66dd
2 changed files with 15 additions and 4 deletions
--- a/src/vs/workbench/contrib/webview/browser/pre/main.js
+++ b/src/vs/workbench/contrib/webview/browser/pre/main.js
@ -21,6 +21,7 @@ const searchParams = new URL(location.toString()).searchParams;
 const ID = searchParams.get('id');
 const onElectron = searchParams.get('platform') === 'electron';
 const expectedWorkerVersion = parseInt(searchParams.get('swVersion'));
+const parentOrigin = searchParams.get('parentOrigin');

 /**
 * Use polling to track focus of main webview and iframes within the webview
@ -246,6 +247,11 @@ const hostMessaging = new class HostMessaging {
 		this.handlers = new Map();

 		window.addEventListener('message', (e) => {
+			if (e.origin !== parentOrigin) {
+				console.error('Skipping post m');
+				return;
+			}
+
 			const channel = e.data.channel;
 			const handlers = this.handlers.get(channel);
 			if (handlers) {
@ -263,7 +269,7 @@ const hostMessaging = new class HostMessaging {
 	 * @param {any} data
 	 */
 	postMessage(channel, data) {
-		window.parent.postMessage({ target: ID, channel, data }, '*');
+		window.parent.postMessage({ target: ID, channel, data }, parentOrigin);
 	}

 	/**
@ -858,7 +864,7 @@ onDomReady(() => {
 				}

 				pendingMessages.forEach((message) => {
-					contentWindow.postMessage(message.message, '*', message.transfer);
+					contentWindow.postMessage(message.message, window.origin, message.transfer);
 				});
 				pendingMessages = [];
 			}
@ -920,7 +926,7 @@ onDomReady(() => {
 		if (!pending) {
 			const target = getActiveFrame();
 			if (target) {
-				assertIsDefined(target.contentWindow).postMessage(data.message, '*', data.transfer);
+				assertIsDefined(target.contentWindow).postMessage(data.message, window.origin, data.transfer);
 				return;
 			}
 		}
--- a/src/vs/workbench/contrib/webview/browser/webviewElement.ts
+++ b/src/vs/workbench/contrib/webview/browser/webviewElement.ts
@ -291,6 +291,10 @@ export class IFrameWebview extends Disposable implements Webview {
 		}));

 		this._register(addDisposableListener(window, 'message', e => {
+			if (e.origin !== this.webviewContentEndpoint) {
+				return;
+			}
+
 			if (e?.data?.target === this.id) {
 				const handlers = this._messageHandlers.get(e.data.channel);
 				handlers?.forEach(handler => handler(e.data.data));
@ -388,6 +392,7 @@ export class IFrameWebview extends Disposable implements Webview {
 			extensionId: extension?.id.value ?? '',
 			platform: this.platform,
 			'vscode-resource-base-authority': webviewRootResourceAuthority,
+			parentOrigin: window.origin,
 		};

 		if (options.purpose) {
@ -417,7 +422,7 @@ export class IFrameWebview extends Disposable implements Webview {

 	private doPostMessage(channel: string, data?: any): void {
 		if (this.element) {
-			this.element.contentWindow!.postMessage({ channel, args: data }, '*');
+			this.element.contentWindow!.postMessage({ channel, args: data }, this.webviewContentEndpoint);
 		}
 	}