bitwarden/browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser synced 2025-12-11 22:03:36 +00:00
Code Issues Releases Wiki Activity

fix(auth): [PM-1779] replace wildcard with window.location.origin in postMessage

Browse Source 
Improve security by using specific origin instead of wildcard in postMessage calls to prevent potential information leakage to third parties.

PM-1779
This commit is contained in:
Alec Rippberger
2025-04-10 14:55:26 -05:00
committed by GitHub
parent 3ad6a98e21
commit 1e7d54f7fb
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
apps/web/src/connectors/duo-redirect.ts
View File

@@ -33,7 +33,7 @@ window.addEventListener("load", async () => {
displayHandoffMessage(client); displayHandoffMessage(client);
} else if (client === "browser") { } else if (client === "browser") {
window.postMessage({ command: "duoResult", code: code, state: state }, "*"); window.postMessage({ command: "duoResult", code, state }, window.location.origin);
displayHandoffMessage(client); displayHandoffMessage(client);
} else if (client === "mobile" || client === "desktop") { } else if (client === "mobile" || client === "desktop") {
if (client === "desktop") { if (client === "desktop") {

2
apps/web/src/connectors/sso.ts
View File

@@ -32,7 +32,7 @@ function initiateWebAppSso(code: string, state: string) {
} }
function initiateBrowserSso(code: string, state: string, lastpass: boolean) { function initiateBrowserSso(code: string, state: string, lastpass: boolean) {
window.postMessage({ command: "authResult", code: code, state: state, lastpass: lastpass }, "*"); window.postMessage({ command: "authResult", code, state, lastpass }, window.location.origin);
const handOffMessage = ("; " + document.cookie) const handOffMessage = ("; " + document.cookie)
.split("; ssoHandOffMessage=") .split("; ssoHandOffMessage=")
.pop() .pop()