1 |
|
2 |
|
3 |
|
4 |
|
5 |
|
6 |
|
7 |
|
8 |
|
9 |
|
10 |
|
11 |
|
12 |
|
13 |
|
14 | import * as Comlink from "/base/dist/esm/comlink.mjs";
|
15 |
|
16 | describe("Comlink origin filtering", function () {
|
17 | it("rejects messages from unknown origin", async function () {
|
18 |
|
19 | const obj = { my: "value" };
|
20 | Comlink.expose(obj, self, [/^http:\/\/localhost(:[0-9]+)?\/?$/]);
|
21 |
|
22 | let handler;
|
23 |
|
24 | const attackComplete = new Promise((resolve, reject) => {
|
25 | handler = (ev) => {
|
26 | if (ev.data === "ready" && ev.origin === "null") {
|
27 |
|
28 | ifr.contentWindow.postMessage("start", "*");
|
29 | } else if (ev.data === "done") {
|
30 |
|
31 | expect(Object.prototype.foo).to.be.undefined;
|
32 | expect(obj.my).to.equal("value");
|
33 | resolve();
|
34 | }
|
35 | };
|
36 | window.addEventListener("message", handler);
|
37 | });
|
38 |
|
39 | const ifr = document.createElement("iframe");
|
40 | ifr.sandbox.add("allow-scripts");
|
41 | ifr.src = "/base/tests/fixtures/attack-iframe.html";
|
42 | document.body.appendChild(ifr);
|
43 |
|
44 | await new Promise((resolve) => (ifr.onload = resolve));
|
45 |
|
46 | await attackComplete;
|
47 | window.removeEventListener("message", handler);
|
48 | ifr.remove();
|
49 | });
|
50 | it("accepts messages from matching origin", async function () {
|
51 |
|
52 | const obj = { my: "value" };
|
53 | Comlink.expose(obj, self, [/^http:\/\/localhost(:[0-9]+)?\/?$/]);
|
54 |
|
55 | let handler;
|
56 |
|
57 | const attackComplete = new Promise((resolve, reject) => {
|
58 | handler = (ev) => {
|
59 | if (ev.data === "ready" && ev.origin === window.origin) {
|
60 |
|
61 | ifr.contentWindow.postMessage("start", "*");
|
62 | } else if (ev.data === "done") {
|
63 |
|
64 | expect(Object.prototype.foo).to.equal("x");
|
65 | expect(obj.my).to.equal("value");
|
66 | resolve();
|
67 | }
|
68 | };
|
69 | window.addEventListener("message", handler);
|
70 | });
|
71 |
|
72 | const ifr = document.createElement("iframe");
|
73 | ifr.sandbox.add("allow-scripts", "allow-same-origin");
|
74 | ifr.src = "/base/tests/fixtures/attack-iframe.html";
|
75 | document.body.appendChild(ifr);
|
76 |
|
77 | await new Promise((resolve) => (ifr.onload = resolve));
|
78 |
|
79 | await attackComplete;
|
80 | window.removeEventListener("message", handler);
|
81 | ifr.remove();
|
82 | });
|
83 | });
|