Cap Google Chrome extension#1921
Merged
Merged
Conversation
Contributor
|
Too many files changed for review. ( |
|
Paragon Review Skipped Hi @richiemcilroy! Your Polarity credit balance is insufficient to complete this review. Please visit https://app.paragon.run to finish your review. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![tembo[bot]](https://avatars.githubusercontent.com/in/1223475?s=60&v=4){kind=small}
Comment on lines
+53
to
+73
| const PANEL_TOKEN = decodeURIComponent(window.location.hash.slice(1)); | ||
| const IS_EMBEDDED = PANEL_TOKEN.length > 0 && window.parent !== window; | ||
| const DEFAULT_MEDIA_ACCESS: MediaAccessState = { | ||
| camera: false, | ||
| microphone: false, | ||
| updatedAt: 0, | ||
| }; | ||
|
|
||
| const postPanelMessage = ( | ||
| message: { type: "size"; height: number } | { type: "dismiss" }, | ||
| ) => { | ||
| if (!IS_EMBEDDED) return; | ||
| window.parent.postMessage( | ||
| { | ||
| source: "cap-extension-panel", | ||
| token: PANEL_TOKEN, | ||
| ...message, | ||
| }, | ||
| "*", | ||
| ); | ||
| }; |
There was a problem hiding this comment.
decodeURIComponent can throw on malformed %-escapes, and this is a web-accessible page, so it’s easy for a hostile embed to crash the UI via #%.... Also, you can avoid using "*" here by scoping the postMessage target to the embedding page’s origin.
Suggested change
| const PANEL_TOKEN = decodeURIComponent(window.location.hash.slice(1)); | |
| const IS_EMBEDDED = PANEL_TOKEN.length > 0 && window.parent !== window; | |
| const DEFAULT_MEDIA_ACCESS: MediaAccessState = { | |
| camera: false, | |
| microphone: false, | |
| updatedAt: 0, | |
| }; | |
| const postPanelMessage = ( | |
| message: { type: "size"; height: number } | { type: "dismiss" }, | |
| ) => { | |
| if (!IS_EMBEDDED) return; | |
| window.parent.postMessage( | |
| { | |
| source: "cap-extension-panel", | |
| token: PANEL_TOKEN, | |
| ...message, | |
| }, | |
| "*", | |
| ); | |
| }; | |
| const PANEL_TOKEN = (() => { | |
| try { | |
| return decodeURIComponent(window.location.hash.slice(1)); | |
| } catch { | |
| return ""; | |
| } | |
| })(); | |
| const IS_EMBEDDED = PANEL_TOKEN.length > 0 && window.parent !== window; | |
| const PANEL_PARENT_ORIGIN = (() => { | |
| try { | |
| return new URL(document.referrer).origin; | |
| } catch { | |
| return "*"; | |
| } | |
| })(); | |
| const DEFAULT_MEDIA_ACCESS: MediaAccessState = { | |
| camera: false, | |
| microphone: false, | |
| updatedAt: 0, | |
| }; | |
| const postPanelMessage = ( | |
| message: { type: "size"; height: number } | { type: "dismiss" }, | |
| ) => { | |
| if (!IS_EMBEDDED) return; | |
| window.parent.postMessage( | |
| { | |
| source: "cap-extension-panel", | |
| token: PANEL_TOKEN, | |
| ...message, | |
| }, | |
| PANEL_PARENT_ORIGIN, | |
| ); | |
| }; |
| type: "stop"; | ||
| }; | ||
|
|
||
| const token = decodeURIComponent(window.location.hash.slice(1)); |
There was a problem hiding this comment.
Same decodeURIComponent footgun here — a malformed hash can crash the preview iframe before it ever registers.
Suggested change
| const token = decodeURIComponent(window.location.hash.slice(1)); | |
| const token = (() => { | |
| try { | |
| return decodeURIComponent(window.location.hash.slice(1)); | |
| } catch { | |
| return ""; | |
| } | |
| })(); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The official Cap Google Chrome extension.