In case the frame changes location to an untrusted source such as via link click, the embedding API is now required to supply a list of any other origins that should be allowed.
git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2724 eee81c28-f429-11dd-99c0-75d572ba1dddmaster
parent
314bcb2e76
commit
3560444cc7
|
@ -74,9 +74,11 @@ function messageListener (e) {
|
||||||
if (typeof e.data !== 'string') {
|
if (typeof e.data !== 'string') {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
var data = e.data && JSON.parse(e.data);
|
var allowedOrigins = this.allowedOrigins,
|
||||||
|
data = e.data && JSON.parse(e.data);
|
||||||
if (!data || typeof data !== 'object' || data.namespace !== 'svg-edit' ||
|
if (!data || typeof data !== 'object' || data.namespace !== 'svg-edit' ||
|
||||||
e.source !== this.frame.contentWindow // Important security check
|
e.source !== this.frame.contentWindow ||
|
||||||
|
(allowedOrigins.indexOf('*') === -1 && allowedOrigins.indexOf(e.origin) === -1)
|
||||||
) {
|
) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -89,10 +91,18 @@ function getMessageListener (t) {
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
function EmbeddedSVGEdit (frame) {
|
/**
|
||||||
|
* @param {HTMLFrame} frame
|
||||||
|
* @param {array} [allowedOrigins=[]] Array of origins from which incoming
|
||||||
|
* messages will be allowed when same origin is not used; defaults to none.
|
||||||
|
* If supplied, it should probably be the same as svgEditor's allowedOrigins
|
||||||
|
*/
|
||||||
|
function EmbeddedSVGEdit (frame, allowedOrigins) {
|
||||||
if (!(this instanceof EmbeddedSVGEdit)) { // Allow invocation without 'new' keyword
|
if (!(this instanceof EmbeddedSVGEdit)) { // Allow invocation without 'new' keyword
|
||||||
return new EmbeddedSVGEdit(frame);
|
return new EmbeddedSVGEdit(frame);
|
||||||
}
|
}
|
||||||
|
//
|
||||||
|
this.allowedOrigins = allowedOrigins || [];
|
||||||
// Initialize communication
|
// Initialize communication
|
||||||
this.frame = frame;
|
this.frame = frame;
|
||||||
this.callbacks = {};
|
this.callbacks = {};
|
||||||
|
|
Loading…
Reference in New Issue