Allows limited internal message posting when host experience content is controlled (#17313)

apps/browser/src/background/runtime.background.ts

@@ -293,14 +293,24 @@ export default class RuntimeBackground {
       case "openPopup":
         await this.openPopup();
         break;
-      case VaultMessages.OpenAtRiskPasswords:
+      case VaultMessages.OpenAtRiskPasswords: {
+        if (await this.shouldRejectManyOriginMessage(msg)) {
+          return;
+        }
+
         await this.main.openAtRisksPasswordsPage();
         this.announcePopupOpen();
         break;
-      case VaultMessages.OpenBrowserExtensionToUrl:
+      }
+      case VaultMessages.OpenBrowserExtensionToUrl: {
+        if (await this.shouldRejectManyOriginMessage(msg)) {
+          return;
+        }
+
         await this.main.openTheExtensionToPage(msg.url);
         this.announcePopupOpen();
         break;
+      }
       case "bgUpdateContextMenu":
       case "editedCipher":
       case "addedCipher":
@@ -312,10 +322,7 @@ export default class RuntimeBackground {
         break;
       }
       case "authResult": {
-        const env = await firstValueFrom(this.environmentService.environment$);
+        if (!(await this.isValidVaultReferrer(msg.referrer))) {
-        const vaultUrl = env.getWebVaultUrl();
-
-        if (msg.referrer == null || Utils.getHostname(vaultUrl) !== msg.referrer) {
           return;
         }
 
@@ -334,10 +341,7 @@ export default class RuntimeBackground {
         break;
       }
       case "webAuthnResult": {
-        const env = await firstValueFrom(this.environmentService.environment$);
+        if (!(await this.isValidVaultReferrer(msg.referrer))) {
-        const vaultUrl = env.getWebVaultUrl();
-
-        if (msg.referrer == null || Utils.getHostname(vaultUrl) !== msg.referrer) {
           return;
         }
 
@@ -372,6 +376,48 @@ export default class RuntimeBackground {
     }
   }
 
+  /**
+   * For messages that can originate from a vault host page or extension, validate referrer or external
+   *
+   * @param message
+   * @returns true if message fails validation
+   */
+  private async shouldRejectManyOriginMessage(message: {
+    webExtSender: chrome.runtime.MessageSender;
+  }): Promise<boolean> {
+    const isValidVaultReferrer = await this.isValidVaultReferrer(
+      Utils.getHostname(message?.webExtSender?.origin),
+    );
+
+    if (isValidVaultReferrer) {
+      return false;
+    }
+
+    return isExternalMessage(message);
+  }
+
+  /**
+   * Validates a message's referrer matches the configured web vault hostname.
+   *
+   * @param referrer - hostname from message source
+   * @returns true if referrer matches web vault
+   */
+  private async isValidVaultReferrer(referrer: string | null | undefined): Promise<boolean> {
+    if (!referrer) {
+      return false;
+    }
+
+    const env = await firstValueFrom(this.environmentService.environment$);
+    const vaultUrl = env.getWebVaultUrl();
+    const vaultHostname = Utils.getHostname(vaultUrl);
+
+    if (!vaultHostname) {
+      return false;
+    }
+
+    return vaultHostname === referrer;
+  }
+
   private async autofillPage(tabToAutoFill: chrome.tabs.Tab) {
     const totpCode = await this.autofillService.doAutoFill({
       tab: tabToAutoFill,