Restrict embedded editor postMessage to allowed origins using IFRAME_ALLOWED_ORIGINS#1676
Merged
jasoncoffman merged 2 commits intopinterest:masterfrom Mar 20, 2026
Conversation
jasoncoffman
force-pushed
the
fix/cross-origin-postmessage
branch
from
fb0cafd to
ce69e2f
Compare
jasoncoffman
force-pushed
the
fix/cross-origin-postmessage
branch
from
ce69e2f to
ddb13ab
Compare
kgopal492
approved these changes
Mar 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
EmbeddedQueryPageacceptspostMessagecalls from any origin and uses'*'as the targetfor outgoing messages. This means any page — not just the intended embedding host — can inject
queries into the editor via
SET_QUERY, potentially leading to unauthorized or unintended queryexecution.
Solution
Validate
event.originagainst the existingIFRAME_ALLOWED_ORIGINSserver configuration beforeprocessing incoming
SET_QUERYmessages. This reuses the same setting that already controls CSPframe-ancestors, so deployers get postMessage protection automatically with zero additionalconfiguration.
Changes
GET /utils/embedded/allowed_origins/): ExposesIFRAME_ALLOWED_ORIGINSto the frontend. Requires authentication but not admin access.
EmbeddedQueryPage: Incoming messages are checked against the allowedlist. Messages from unlisted origins are silently dropped. Messages coming from the Querybook origin are permitted.
SEND_QUERYhandshake are deferred untilthe allowed origins have loaded, so there is no window where unvalidated messages are accepted.
infra_config.mdxnow notes the dual role ofIFRAME_ALLOWED_ORIGINS.Backward compatibility
When
IFRAME_ALLOWED_ORIGINSis not configured (the default), the allowed list is empty and allorigins are accepted — identical to the current behavior. No action is required from existing
deployers.
Alternatives considered
Move allowed origins into
querybook_public_config.yamlso the frontend can read them atbuild time without an API call. Rejected because
IFRAME_ALLOWED_ORIGINSalready lives inquerybook_config.yaml/ env vars, and requiring deployers to also add it to the public configwould break backward compatibility for existing setups.
Duplicate the value in both
querybook_config.yamlandquerybook_public_config.yaml.Rejected because maintaining the same list in two places invites config drift, which is
especially risky for a security-sensitive setting.
Current approach — lightweight API endpoint: A single source of truth
(
IFRAME_ALLOWED_ORIGINS) is read at runtime by both the server (CSP headers) and the frontend(via the new endpoint). No new configuration keys, no duplication, fully backward compatible.