-
-
Notifications
You must be signed in to change notification settings - Fork 10.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implemented admin auth origin check #15135
Conversation
Codecov Report
@@ Coverage Diff @@
## main #15135 +/- ##
=======================================
Coverage 58.09% 58.10%
=======================================
Files 734 734
Lines 61658 61694 +36
Branches 5360 5362 +2
=======================================
+ Hits 35820 35846 +26
- Misses 25787 25798 +11
+ Partials 51 50 -1
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
6add500
to
85a4a34
Compare
refs https://github.com/TryGhost/Team/issues/1694 - Only listen to messages that are coming from the auth iframe - Related PR for the other side: TryGhost/Ghost#15135
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We also need to pass the origin to the postMessage
call as the second argument, rather than '*'
refs https://github.com/TryGhost/Team/issues/1694 - Added replacements option to the minify package - At compile time, we'll replace '{{SITE_ORIGIN}}' with the actual and JS encoded origin string. - Block requests to the auth frame with the wrong origin, but log a warning for now to make debugging easier.
91fd711
to
9378f88
Compare
refs https://github.com/TryGhost/Team/issues/1694 - Only listen to messages that are coming from the auth iframe - Related PR for the other side: #15135
refs https://github.com/TryGhost/Team/issues/1694
@tryghost/minifier
+ updated documentation and name of 'options' param which was a bit confusing.'{{SITE_ORIGIN}}'
with the actual and JS encoded origin string.Question: