From 3560444cc729332ffdfa9d7812e10950bf9dfa8d Mon Sep 17 00:00:00 2001 From: Brett Zamir Date: Sun, 2 Mar 2014 01:25:39 +0000 Subject: [PATCH] In case the frame changes location to an untrusted source such as via link click, the embedding API is now required to supply a list of any other origins that should be allowed. git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2724 eee81c28-f429-11dd-99c0-75d572ba1ddd --- editor/embedapi.js | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/editor/embedapi.js b/editor/embedapi.js index 3efccc83..df10a2ed 100644 --- a/editor/embedapi.js +++ b/editor/embedapi.js @@ -74,9 +74,11 @@ function messageListener (e) { if (typeof e.data !== 'string') { return; } - var data = e.data && JSON.parse(e.data); + var allowedOrigins = this.allowedOrigins, + data = e.data && JSON.parse(e.data); if (!data || typeof data !== 'object' || data.namespace !== 'svg-edit' || - e.source !== this.frame.contentWindow // Important security check + e.source !== this.frame.contentWindow || + (allowedOrigins.indexOf('*') === -1 && allowedOrigins.indexOf(e.origin) === -1) ) { return; } @@ -89,10 +91,18 @@ function getMessageListener (t) { }; } -function EmbeddedSVGEdit (frame) { +/** +* @param {HTMLFrame} frame +* @param {array} [allowedOrigins=[]] Array of origins from which incoming +* messages will be allowed when same origin is not used; defaults to none. +* If supplied, it should probably be the same as svgEditor's allowedOrigins +*/ +function EmbeddedSVGEdit (frame, allowedOrigins) { if (!(this instanceof EmbeddedSVGEdit)) { // Allow invocation without 'new' keyword return new EmbeddedSVGEdit(frame); } + // + this.allowedOrigins = allowedOrigins || []; // Initialize communication this.frame = frame; this.callbacks = {};