Merge pull request #1849 from matrix-org/dbkr/cross_origin_renderer_o…

…rigin_lock Support origin lock in cross-origin renderer
matrix-org · Apr 25, 2018 · 7720585 · 7720585
2 parents 4ced12d + 79c3335
commit 7720585
Showing 1 changed file with 16 additions and 3 deletions.
diff --git a/src/components/views/messages/MFileBody.js b/src/components/views/messages/MFileBody.js
@@ -1,5 +1,6 @@
 /*
 Copyright 2015, 2016 OpenMarket Ltd
+Copyright 2018 New Vector Ltd
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -99,16 +100,27 @@ Tinter.registerTintable(updateTintedDownloadImage);
 // overridable so that people running their own version of the client can
 // choose a different renderer.
 //
-// To that end the first version of the blob generation will be the following
+// To that end the current version of the blob generation is the following
 // html:
 //
 //      <html><head><script>
-//      window.onmessage=function(e){eval("("+e.data.code+")")(e)}
+//      var params = window.location.search.substring(1).split('&');
+//      var lockOrigin;
+//      for (var i = 0; i < params.length; ++i) {
+//          var parts = params[i].split('=');
+//          if (parts[0] == 'origin') lockOrigin = decodeURIComponent(parts[1]);
+//      }
+//      window.onmessage=function(e){
+//          if (lockOrigin && event.origin === lockOrigin) eval("("+e.data.code+")")(e);
+//      }
 //      </script></head><body></body></html>
 //
 // This waits to receive a message event sent using the window.postMessage API.
 // When it receives the event it evals a javascript function in data.code and
-// runs the function passing the event as an argument.
+// runs the function passing the event as an argument. This version adds
+// support for a query parameter controlling the origin from which messages
+// will be processed as an extra layer of security (note that the default URL
+// is still 'v1' since it is backwards compatible).
 //
 // In particular it means that the rendering function can be written as a
 // ordinary javascript function which then is turned into a string using
@@ -325,6 +337,7 @@ module.exports = React.createClass({
             if (this.context.appConfig && this.context.appConfig.cross_origin_renderer_url) {
                 renderer_url = this.context.appConfig.cross_origin_renderer_url;
             }
+            renderer_url += "?origin=" + encodeURIComponent(document.origin);
             return (
                 <span className="mx_MFileBody">
                     <div className="mx_MFileBody_download">