client-js icon indicating copy to clipboard operation
client-js copied to clipboard

Published 20 hours ago verified publisher icon open-rpc

fix: insecure iframe messaging

Open chaitanyapotti opened this issue 3 years ago • 5 comments

Fixes #296

chaitanyapotti avatar Sep 01 '21 12:09 chaitanyapotti

Pls check my changes. We should derive origin from uri instead of relying on user input.

chaitanyapotti avatar Sep 04 '21 09:09 chaitanyapotti

Pls check my changes. We should derive origin from uri instead of relying on user input.

The suggestion for a parameter is so users can define what urls they want to accept request from. Locking people into request coming from the same url origin, makes the api not flexible enough.

We can't universally make that assumption about the context in which client-js is operating in.

zcstarr avatar Sep 04 '21 15:09 zcstarr

I've made the necessary changes

chaitanyapotti avatar Sep 06 '21 09:09 chaitanyapotti

@chaitanyapotti Thank you for the PR and issue! nice work!

Are you able to finish this one off? Happy to help get it through.

BelfordZ avatar Jan 05 '23 19:01 BelfordZ

@zcstarr perhaps you have some time to cherrypick his commits and make the required changes?

BelfordZ avatar Jan 05 '23 19:01 BelfordZ