Skip to content

fix(broadcast): cross-window communication with unrestricted target origin #452

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 7,329 commits into from
Closed

fix(broadcast): cross-window communication with unrestricted target origin #452

wants to merge 7,329 commits into from

Conversation

ptrgits
Copy link

@ptrgits ptrgits commented Aug 4, 2025

WebClients/packages/shared/lib/broadcast/broadcast.ts

Line 54 in a832ce2

window.parent.postMessage(serialized, '*');

The window.postMessage method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy. The sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.

Alternatively, the sender can specify a target origin of '*', which means that any origin is acceptable and the message is always sent. This feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.

fix the problem, we need to restrict the target origin in the window.parent.postMessage call in packages/shared/lib/broadcast/broadcast.ts (line 54). Instead of using '*', we should specify the expected parent window's origin. The best way to do this is to pass the trusted origin as an argument to the broadcast function, or to determine it from configuration or environment variables. Since we can only edit the code shown, the simplest and safest fix is to replace '*' with a hardcoded trusted origin (e.g., 'https://account.proton.me'), assuming this is the only allowed embedding parent. If the parent origin can vary, the code should be updated to accept the origin as a parameter, but this would require changes outside the shown code.

Required changes:

  • In packages/shared/lib/broadcast/broadcast.ts, replace '*' with the trusted origin string in the window.parent.postMessage call.
  • If the trusted origin is not known, use a placeholder and add a comment to update it as needed.

References

Window.postMessage
Same-origin policy
CWE-201
CWE-359

sa-l10n-translation and others added 30 commits July 22, 2025 05:03
i18n: Upgrade translations from crowdin (144cc025). (pass-extension)
ae0d3f9
i18n: Upgrade translations from crowdin (144cc025). (pass)
90f5bea
i18n: Upgrade translations from crowdin (144cc025). (pass-desktop)
e2c5354
i18n: Upgrade translations from crowdin (144cc025). (lumo)
4ab83ae
Merge branch 'translations_2025-07-22_050331_d2642e4c' into 'main'
0ffc70c 
i18n: Upgrade translations from crowdin (144cc025).

See merge request web/clients!18260
@flavienbonvin
Add the theme info data in root HTML
58a418c
Merge branch 'INWEB-210-add-theme-info-data' into 'main'
7bd5ba7 
Add the theme info data in root HTML

See merge request web/clients!18261
@mmso
Fix import
037c7b6
Merge branch 'fix-import' into 'main'
ff4f34e 
Fix import

See merge request web/clients!18272
Refactoring handleError to use an options object
977569d
Merge branch 'refactoring-handleError' into 'main'
d60a3e7 
Refactoring handleError to use an options object

See merge request web/clients!18250
INWEB-198: Remove proton-pack config from storyboook
d6a4ad9
Merge branch 'INWEB-198' into 'main'
cda2591 
INWEB-198: Remove proton-pack config from storyboook

See merge request web/clients!18215
INWEB-209
f66dacc
Merge branch 'INWEB-209' into 'main'
e7bab12 
INWEB-209

See merge request web/clients!18251
@StraightOuttaCrompton
Default lumo toggle state to member.lumo state for family plan
ec641c3
@StraightOuttaCrompton
Ensure maxLumo is sent on member invite
68d9250
@StraightOuttaCrompton
Ensure lumo can be disabled for members even if no seats are remaining
a49848a
@StraightOuttaCrompton
Do not show addon configuration for visionary users
07955db
@StraightOuttaCrompton
Fix visionary invite
c1aca04
@StraightOuttaCrompton
Ensure scriber can be disabled for members even if no seats are remai…
e2049a0 
…ning
Merge branch 'account-lumo-user-management' into 'main'
234f45f 
Account lumo user management

See merge request web/clients!18255
@pedroamaroproton
[MSA-765] B2B Trials: remove direct debit support
527d17f
Merge branch 'feat/b2b-trial/msa-765-remove-direct-debit-support' int…
80c840d 
…o 'main'

[MSA-765] B2B Trials: remove direct debit support

See merge request web/clients!18274
@mmso
Ignore event type error
9e00818
Merge branch 'ignore-error' into 'main'
62b6a7c 
Ignore event type error

See merge request web/clients!18277
INWEB-192: Remove proton-pack config from docs-editor
7f88063
Merge branch 'INWEB-192' into 'main'
4de12b9 
INWEB-192: Remove proton-pack config from docs-editor

See merge request web/clients!18209
@StraightOuttaCrompton
Add lumo toggle to product updates
5a392b7 
CP-9958
@StraightOuttaCrompton
Add LumoInProductNewsletters feature flag
f4fc41a
LisaBot and others added 17 commits July 29, 2025 10:23
Update Unleash
643c12f
Merge branch 'renovate/unleash' into 'main'
8be21cd 
Update Unleash

See merge request web/clients!17981
INWEB-203: Add yarn:no-cache for storybook and visual tests
a727470
Merge branch 'INWEB-203-use-yarn-no-cache-static-tests' into 'main'
52bf44d 
INWEB-203: Add yarn:no-cache for storybook and visual tests

See merge request web/clients!18381
@pedroamaroproton
[MSA-753] Disallow duplicate names in groups and sort them in natural…
29b7a19 
… order
Merge branch 'feat/disallow-duplicated-names-sort' into 'main'
08d2157 
[MSA-753] Disallow duplicate names in groups and sort them in natural order

See merge request web/clients!18259
Update all non-major dependencies
1383133
Merge branch 'renovate/all-minor-patch' into 'main'
8a5440a 
Update all non-major dependencies

See merge request web/clients!18390
Retention UI [05]: Implement modal to add/edit retention policy
17bbcec
Merge branch 'retention/ui-05' into 'main'
a901e32 
Retention UI [05]: Implement modal to add/edit retention policy

See merge request web/clients!18148
[fix/DRVWEB-4834] fix create folder modal when moving files
07ebcea
Merge branch 'DRVWEB-4834' into 'main'
678bf43 
[fix/DRVWEB-4834] fix create folder modal when moving files

See merge request web/clients!18386
[Cleanup] Remove redundant code by removing MailboxRefactoring flag
9a59028
Merge branch 'cleanup-mailbox-refactoring' into 'main'
e9a4ec1 
[Cleanup] Remove redundant code by removing MailboxRefactoring flag

See merge request web/clients!18217
@LeGrosSancho
Prevent mail onboarding modal from being shown on the desktop app
ebba145
Merge branch 'fix-mail-onboarding-modal-flickering-on-desktop-app' in…
a832ce2 
…to 'main'

Prevent mail onboarding modal from being shown on the desktop app

See merge request web/clients!18347
@ptrgits
Update broadcast.ts
b1aea8b
@mmso mmso force-pushed the main branch 3 times, most recently from 40360c7 to 2eaeffc Compare August 5, 2025 14:51
@mmso mmso force-pushed the main branch 7 times, most recently from 6f16c41 to c5e6ffe Compare August 21, 2025 12:04
@mmso mmso force-pushed the main branch 2 times, most recently from 1e4ffe8 to 8c63f2f Compare August 29, 2025 16:10
@ptrgits ptrgits closed this by deleting the head repository Sep 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.