fix(trace-viewer): validate snapshot popout ?r= scheme (#40546)

pavelfeldman · web-flow · commit 26219d512f86 · 2026-04-30T15:02:28.000-07:00
diff --git a/packages/isomorphic/urlMatch.ts b/packages/isomorphic/urlMatch.ts
@@ -16,9 +16,9 @@
 
 import { isString } from './stringUtils';
 
-export function isHttpUrl(url: string): boolean {
+export function isHttpUrl(url: string, base?: string): boolean {
   try {
-    return ['http:', 'https:'].includes(new URL(url).protocol);
+    return ['http:', 'https:'].includes(new URL(url, base).protocol);
   } catch {
     return false;
   }
diff --git a/packages/trace-viewer/snapshot.html b/packages/trace-viewer/snapshot.html
@@ -17,19 +17,6 @@
 <html lang="en">
   <body>
     <iframe src="about:blank" sandbox="allow-same-origin allow-scripts" style="position:absolute;top:0;left:0;right:0;bottom:0;width:100%;height:100%;border:none;"></iframe>
-    <script>
-      (async () => {
-        if (!navigator.serviceWorker)
-          throw new Error(`Service workers are not supported.\nMake sure to serve the Trace Viewer (${window.location}) via HTTPS or localhost.`);
-        navigator.serviceWorker.register('sw.bundle.js');
-        if (!navigator.serviceWorker.controller)
-          await new Promise(f => navigator.serviceWorker.oncontrollerchange = f);
-        const traceUrl = new URL(location.href).searchParams.get('trace');
-        const params = new URLSearchParams();
-        params.set('trace', traceUrl);
-        await fetch('contexts?' + params.toString());
-        document.querySelector('iframe').src = new URLSearchParams(location.search).get('r');
-      })();
-    </script>
+    <script type="module" src="/src/snapshotMain.ts"></script>
   </body>
 </html>
diff --git a/packages/trace-viewer/src/DEPS.list b/packages/trace-viewer/src/DEPS.list
@@ -2,5 +2,8 @@
 @web/**
 ui/
 
+[snapshotMain.ts]
+@isomorphic/**
+
 [sw-main.ts]
 sw/**
diff --git a/packages/trace-viewer/src/snapshotMain.ts b/packages/trace-viewer/src/snapshotMain.ts
@@ -0,0 +1,36 @@
+/*
+  Copyright (c) Microsoft Corporation.
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+*/
+
+import { isHttpUrl } from '@isomorphic/urlMatch';
+
+(async () => {
+  if (!navigator.serviceWorker)
+    throw new Error(`Service workers are not supported.\nMake sure to serve the Trace Viewer (${window.location}) via HTTPS or localhost.`);
+  navigator.serviceWorker.register('sw.bundle.js');
+  if (!navigator.serviceWorker.controller)
+    await new Promise(f => navigator.serviceWorker.oncontrollerchange = f);
+  const traceUrl = new URL(location.href).searchParams.get('trace');
+  const params = new URLSearchParams();
+  if (traceUrl)
+    params.set('trace', traceUrl);
+  await fetch('contexts?' + params.toString());
+  const r = new URLSearchParams(location.search).get('r');
+  if (!r || !isHttpUrl(r, location.href))
+    return;
+  const iframe = document.querySelector('iframe');
+  if (iframe)
+    iframe.src = r;
+})();
