Allows limited internal message posting when host experience content is controlled (#17313)

2025-12-22 11:13:46 +00:00 · 2025-11-24 14:08:11 -05:00
parent 613e0c5461
commit 883ff8968e
1 changed files with 56 additions and 10 deletions
--- a/apps/browser/src/background/runtime.background.ts
+++ b/apps/browser/src/background/runtime.background.ts
@@ -293,14 +293,24 @@ export default class RuntimeBackground {
      case "openPopup":
        await this.openPopup();
        break;
-      case VaultMessages.OpenAtRiskPasswords:
+      case VaultMessages.OpenAtRiskPasswords: {
+        if (await this.shouldRejectManyOriginMessage(msg)) {
+          return;
+        }
+
        await this.main.openAtRisksPasswordsPage();
        this.announcePopupOpen();
        break;
-      case VaultMessages.OpenBrowserExtensionToUrl:
+      }
+      case VaultMessages.OpenBrowserExtensionToUrl: {
+        if (await this.shouldRejectManyOriginMessage(msg)) {
+          return;
+        }
+
        await this.main.openTheExtensionToPage(msg.url);
        this.announcePopupOpen();
        break;
+      }
      case "bgUpdateContextMenu":
      case "editedCipher":
      case "addedCipher":
@@ -312,10 +322,7 @@ export default class RuntimeBackground {
        break;
      }
      case "authResult": {
-        const env = await firstValueFrom(this.environmentService.environment$);
-        const vaultUrl = env.getWebVaultUrl();
-
-        if (msg.referrer == null || Utils.getHostname(vaultUrl) !== msg.referrer) {
+        if (!(await this.isValidVaultReferrer(msg.referrer))) {
          return;
        }

@@ -334,10 +341,7 @@ export default class RuntimeBackground {
        break;
      }
      case "webAuthnResult": {
-        const env = await firstValueFrom(this.environmentService.environment$);
-        const vaultUrl = env.getWebVaultUrl();
-
-        if (msg.referrer == null || Utils.getHostname(vaultUrl) !== msg.referrer) {
+        if (!(await this.isValidVaultReferrer(msg.referrer))) {
          return;
        }

@@ -372,6 +376,48 @@ export default class RuntimeBackground {
    }
  }

+  /**
+   * For messages that can originate from a vault host page or extension, validate referrer or external
+   *
+   * @param message
+   * @returns true if message fails validation
+   */
+  private async shouldRejectManyOriginMessage(message: {
+    webExtSender: chrome.runtime.MessageSender;
+  }): Promise<boolean> {
+    const isValidVaultReferrer = await this.isValidVaultReferrer(
+      Utils.getHostname(message?.webExtSender?.origin),
+    );
+
+    if (isValidVaultReferrer) {
+      return false;
+    }
+
+    return isExternalMessage(message);
+  }
+
+  /**
+   * Validates a message's referrer matches the configured web vault hostname.
+   *
+   * @param referrer - hostname from message source
+   * @returns true if referrer matches web vault
+   */
+  private async isValidVaultReferrer(referrer: string | null | undefined): Promise<boolean> {
+    if (!referrer) {
+      return false;
+    }
+
+    const env = await firstValueFrom(this.environmentService.environment$);
+    const vaultUrl = env.getWebVaultUrl();
+    const vaultHostname = Utils.getHostname(vaultUrl);
+
+    if (!vaultHostname) {
+      return false;
+    }
+
+    return vaultHostname === referrer;
+  }
+
  private async autofillPage(tabToAutoFill: chrome.tabs.Tab) {
    const totpCode = await this.autofillService.doAutoFill({
      tab: tabToAutoFill,