pengjunjie/server
1
0
Fork 1
mirror of https://github.com/ONLYOFFICE/server.git synced 2026-02-10 18:05:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

[feature] Avoid wildcard origin in postMessage

Browse Source
This commit is contained in:
Sergey Konovalov
2025-11-30 18:47:09 +03:00
parent b75c3087f2
commit 7cd0942c11
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
AdminPanel/client/src/pages/AiIntegration/js/plugins-sdk.js
View File

@ -23,7 +23,7 @@ let settingsButton = null;
function sendMessageToFrame(iframeId, data) {
const frame = document.getElementById(iframeId);
if (frame) {
frame.contentWindow.postMessage(JSON.stringify(data), '*');
frame.contentWindow.postMessage(JSON.stringify(data), window.location.origin);
}
}
@ -32,6 +32,11 @@ function sendMessageToFrame(iframeId, data) {
* @param {MessageEvent} event - The message event
*/
function receiveMessage(event) {
if (event.origin !== window.location.origin) {
console.warn('Rejected postMessage from untrusted origin:', event.origin);
return;
}
if (typeof event.data !== 'string') {
return;
}