Validate OT origin (#36)

rviscomi · Jun 27, 2023 · b5f4160 · b5f4160
1 parent 886d051
commit b5f4160
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 1 deletion.
diff --git a/capo.js b/capo.js
@@ -222,6 +222,10 @@ function decodeToken(token) {
   return payload;
 }
 
+function isSameOrigin(a, b) {
+  return new URL(a).origin === new URL(b).origin;
+}
+
 function logElement({viz, weight, element, isValid, omitPrefix = false}) {
   if (!omitPrefix) {
     viz.visual = `${LOGGING_PREFIX}${viz.visual}`;
@@ -245,6 +249,10 @@ function logElement({viz, weight, element, isValid, omitPrefix = false}) {
         loggingLevel = 'warn';
         args.push('❌ expired');
       }
+      if (!isSameOrigin(payload.origin, document.location.href)) {
+        loggingLevel = 'warn';
+        args.push('❌ invalid origin');
+      }
     } catch {
       loggingLevel = 'warn';
       args.push('❌ invalid token');

diff --git a/crx/capo.js b/crx/capo.js
@@ -245,6 +245,10 @@ async function capo({fn, args}={}) {
     return payload;
   }
 
+  function isSameOrigin(a, b) {
+    return new URL(a).origin === new URL(b).origin;
+  }
+
   function logElement({viz, weight, element, isValid, omitPrefix = false}) {
     if (!omitPrefix) {
       viz.visual = `${LOGGING_PREFIX}${viz.visual}`;
@@ -268,6 +272,10 @@ async function capo({fn, args}={}) {
           loggingLevel = 'warn';
           args.push('❌ expired');
         }
+        if (!isSameOrigin(payload.origin, document.location.href)) {
+          loggingLevel = 'warn';
+          args.push('❌ invalid origin');
+        }
       } catch {
         loggingLevel = 'warn';
         args.push('❌ invalid token');

diff --git a/crx/manifest.json b/crx/manifest.json
@@ -2,7 +2,7 @@
   "manifest_version": 3,
   "name": "Capo: get your ﹤𝚑𝚎𝚊𝚍﹥ in order",
   "description": "Visualize the optimal ordering of ﹤𝚑𝚎𝚊𝚍﹥ elements on any web page",
-  "version": "1.3.0",
+  "version": "1.3.1",
   "permissions": [
     "scripting",
     "activeTab"