New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use postMessage instead of directly making API calls in the overlay iframe. #13446

Merged
merged 6 commits into from Oct 3, 2018

Conversation

Projects
None yet
2 participants
@diosmosis
Member

diosmosis commented Sep 18, 2018

This fix replaces #13420 as we noticed some other issues in Overlay when reviewing it.

Fixes #13406

@@ -139,6 +144,7 @@ var Piwik_Overlay = (function () {
function hashChangeCallback(urlHash) {
var location = getOverlayLocationFromHash(urlHash);
location = Overlay_Helper.decodeFrameUrl(location);
iframeOrigin = location.match(DOMAIN_PARSE_REGEX)[0];

This comment has been minimized.

@tsteur

tsteur Sep 18, 2018

Member

can we be sure there will be an entry with index [0]?

var url = decodeURIComponent(strData[2]);
var params = broadcast.getValuesFromUrl(url);

This comment has been minimized.

@tsteur

tsteur Sep 18, 2018

Member

Can we here only allow specific API methods needed for overlay to increase the security?

iframeDomain = currentUrl.match(/http(s)?:\/\/(www\.)?([^\/]*)/i)[3];
var m = currentUrl.match(DOMAIN_PARSE_REGEX);
iframeDomain = m[3];
iframeOrigin = m[0];

This comment has been minimized.

@tsteur

tsteur Sep 18, 2018

Member

I presume an attacker cannot set a different iframeOrigin to her or his liking? eg by crafting a url that matches the regex etc... Also m[0] and m[3] might not be defined for whatever reason... might need to add some check there to make sure they are set...

I'm thinking would it be possible for additional security to only accept origins of configured siteURLs? I think this check is done so far maybe in the twig but not sure if in JS

@diosmosis

This comment has been minimized.

Member

diosmosis commented Sep 19, 2018

@tsteur Updated.

@tsteur

This comment has been minimized.

Member

tsteur commented Oct 2, 2018

LGTM if tests pass

@diosmosis diosmosis merged commit 67eaa2c into 3.x-dev Oct 3, 2018

0 of 2 checks passed

continuous-integration/travis-ci/pr The Travis CI build could not complete due to an error
Details
continuous-integration/travis-ci/push The Travis CI build is in progress
Details

@diosmosis diosmosis deleted the 13406-overlay-api2 branch Oct 3, 2018

InfinityVoid added a commit to InfinityVoid/matomo that referenced this pull request Oct 11, 2018

Use postMessage instead of directly making API calls in the overlay i…
…frame. (matomo-org#13446)

* Use postMessage instead of directly making API calls in the overlay iframe.

* Make sure it will work when Matomo is on a subfolder.

* Increase overlay security with domain and method whitelists.

* Try to fix UI test.

* Fix tests + UI test blacklist check.

* broadcast.getValuesFromUrl does not decode URL params.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment