[Pkg-javascript-commits] [sockjs-client] 277/434: Small security check for iframe.
Tonnerre Lombard
tonnerre-guest at moszumanska.debian.org
Wed Jan 8 00:47:19 UTC 2014
This is an automated email from the git hooks/post-receive script.
tonnerre-guest pushed a commit to branch master
in repository sockjs-client.
commit e9031f95e6af4ab0bf9e5429aaf70b6ceb9cabd6
Author: Marek Majkowski <majek04 at gmail.com>
Date: Wed Jan 11 11:13:26 2012 +0000
Small security check for iframe.
---
lib/trans-iframe-within.js | 6 ++++++
lib/utils.js | 7 +++++++
2 files changed, 13 insertions(+)
diff --git a/lib/trans-iframe-within.js b/lib/trans-iframe-within.js
index 203eb9f..4dbd8e5 100644
--- a/lib/trans-iframe-within.js
+++ b/lib/trans-iframe-within.js
@@ -43,6 +43,12 @@ SockJS.bootstrap_iframe = function() {
" \"" + version + "\", the iframe:" +
" \"" + SockJS.version + "\".");
}
+ if (!utils.isLocalUrl(trans_url) || !utils.isLocalUrl(base_url)) {
+ utils.log("Can't connect to different domain from within an " +
+ "iframe. (" + JSON.stringify([_window.location.href, trans_url, base_url]) +
+ ")");
+ return;
+ }
facade = new FacadeJS();
facade._transport = new FacadeJS[protocol](facade, trans_url, base_url);
break;
diff --git a/lib/utils.js b/lib/utils.js
index 5bf9b98..ca317b7 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -24,6 +24,13 @@ utils.getOrigin = function(url) {
return parts.join('/');
};
+utils.isLocalUrl = function(url) {
+ // location.origin would do, but it's not available in some
+ // browsers.
+ var o = _window.location.href.split('/').slice(0,3).join('/');
+ return url.slice(0, o.length) === o;
+};
+
utils.objectExtend = function(dst, src) {
for(var k in src) {
if (src.hasOwnProperty(k)) {
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-javascript/sockjs-client.git
More information about the Pkg-javascript-commits
mailing list