Skip to content

Prevent execution of WKUserScript from beyond main frame and allowed hosts#4469

Merged
bgoncal merged 4 commits intomainfrom
prevent-user-scripts-from-iframes
Apr 2, 2026
Merged

Prevent execution of WKUserScript from beyond main frame and allowed hosts#4469
bgoncal merged 4 commits intomainfrom
prevent-user-scripts-from-iframes

Conversation

@bgoncal
Copy link
Copy Markdown
Member

@bgoncal bgoncal commented Apr 2, 2026

Summary

Screenshots

Link to pull request in Documentation repository

Documentation: home-assistant/companion.home-assistant#

Any other notes

@bgoncal bgoncal requested review from TimoPtr and bramkragten April 2, 2026 09:37
@bgoncal bgoncal self-assigned this Apr 2, 2026
Copilot AI review requested due to automatic review settings April 2, 2026 09:37
@bgoncal bgoncal added WebView and removed cla-signed labels Apr 2, 2026
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens WebKit script injection and message handling so that injected WKUserScripts and received WKScriptMessages are restricted to the main frame, reducing the risk of subframe/iframe content invoking the app’s WebView bridge.

Changes:

  • Set forMainFrameOnly: true for the injected WebSocket bridge script.
  • Set forMainFrameOnly: true for the injected JS error listener script.
  • Drop any WKScriptMessage received from non-main frames in SafeScriptMessageHandler.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
Sources/App/Frontend/WebView/WebViewController.swift Restricts injected user scripts to the main frame only.
Sources/App/Frontend/ExternalMessageBus/SafeScriptMessageHandler.swift Filters script messages to main-frame origin before delegating.

@bgoncal bgoncal changed the title Prevent execution of WKUserScript from beyond main frame Prevent execution of WKUserScript from beyond main frame and allowed hosts Apr 2, 2026
@bgoncal bgoncal merged commit c8f35e4 into main Apr 2, 2026
12 checks passed
@bgoncal bgoncal deleted the prevent-user-scripts-from-iframes branch April 2, 2026 11:52
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 2, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@a20ae2f). Learn more about missing BASE report.

Additional details and impacted files 
@@          Coverage Diff           @@
##             main   #4469   +/-   ##
======================================
  Coverage        ?       0           
======================================
  Files           ?       0           
  Lines           ?       0           
  Branches        ?       0           
======================================
  Hits            ?       0           
  Misses          ?       0           
  Partials        ?       0

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TimoPtr TimoPtr TimoPtr left review comments

Copilot code review Copilot Copilot left review comments

@bramkragten bramkragten Awaiting requested review from bramkragten

Assignees

@bgoncal bgoncal

Labels

cla-signed WebView

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bgoncal @TimoPtr