Arch/pm 27820 (#17241)

* add storage port validation * remove unused method * Prefer property presence over truthyness (cherry picked from commit cbf380e023)
2025-12-06 00:13:28 +00:00 · 2025-11-05 23:09:15 +00:00
parent 36b28c296c
commit 33149f79cb
2 changed files with 33 additions and 0 deletions
--- a/apps/browser/src/platform/browser/browser-api.ts
+++ b/apps/browser/src/platform/browser/browser-api.ts
@@ -32,6 +32,36 @@ export class BrowserApi {
    return BrowserApi.manifestVersion === expectedVersion;
  }

+  static senderIsInternal(sender: chrome.runtime.MessageSender | null): boolean {
+    if (!sender?.url) {
+      return false;
+    }
+    const extensionUrl =
+      (typeof chrome !== "undefined" && chrome.runtime?.getURL("")) ||
+      (typeof browser !== "undefined" && browser.runtime?.getURL("")) ||
+      "";
+
+    if (!extensionUrl) {
+      return false;
+    }
+
+    if (!sender.url.startsWith(extensionUrl)) {
+      return false;
+    }
+
+    // these are all properties on externally initiated messages, not internal ones
+    if (
+      "tab" in sender ||
+      "documentId" in sender ||
+      "documentLifecycle" in sender ||
+      "frameId" in sender
+    ) {
+      return false;
+    }
+
+    return true;
+  }
+
  /**
   * Gets all open browser windows, including their tabs.
   *
--- a/apps/browser/src/platform/services/local-backed-session-storage.service.ts
+++ b/apps/browser/src/platform/services/local-backed-session-storage.service.ts
@@ -43,6 +43,9 @@ export class LocalBackedSessionStorageService
      if (port.name !== portName(chrome.storage.session)) {
        return;
      }
+      if (!BrowserApi.senderIsInternal(port.sender)) {
+        return;
+      }

      this.ports.add(port);