-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Considerations with External Messaging #61
Comments
Will look into this tonight - waiting for link expanding on GH to land in Loom first. :-) |
@vhmth Oh please ignore everything I've ever tagged you in until that's done :P Thank you so much for adding that! |
@tshaddix I like the idea of If support is continued for cc @vhmth |
@paulius005 fully agree that a note in the README about |
@vhmth @paulius005 Embedded Loom vids look soooooo slick. Great call with I proposed This is actually how chome suggest doing it here:
Your right, however, that this only solves extension/app connections. This doesn't help in the realm of website connections... I think a simple security fix would be to move forward with |
I completely agree with doing the simple thing first and leveraging |
Glad you like the Loom videos! :-) |
@vhmth Love the loom videos :) Cool, so I've re-labled this as an enhancement so we can make sure to put it on our roadmap of todos |
I'd like us to consider the possible issues that could arise with supporting
onMessageExternal
. We currently don't do any sort of check on theport.sender
property, meaning any other extension or website script could send messages straight to the background store.What are the possible implications of this? Should we include something in the package to run validation on an external connection? Should we even support external messaging?
I feel like the support for external messaging was a bit premature, honestly (my bad). I feel like we could have solved #47 by simply suggesting listeners in the background page that push the messages to
store.dispatch
after the sender has been checked.Maybe we can solve this by adding an option of
senderIds
which is an array of allowed external sender ids. We could also have anallowExternal
boolean which sets up external listeners.The text was updated successfully, but these errors were encountered: