search

Aaronius / penpal

A promise-based library for securely communicating with iframes via postMessage.
MIT License
381 stars 56 forks source link

dynamic iframe url #73

Closed KutnerUri closed 2 years ago

KutnerUri commented 2 years ago

I'm using an iframe that includes redirects as part of it's setup, and I'm getting this error:

[Penpal] Parent: Handshake - Received SYN message from origin https://m73gees.scopes.teambit.dev which did not match expected origin https://symphony.bit.dev

The setup goes something like this:

----> https://symphony.bit.dev/api/resolve/teambit.organization
      (backend logic)

<---- redirect 302 to https://m73gees.scopes.teambit.dev
      (iframe redirects)

----> https://m73gees.scopes.teambit.dev

      getting SYN from m73gees.scopes.teambit.dev
(err) "did not match expected origin"

I wanted to disable the childOrigin check, but it does not seem to be possible. Leaving it as "" or undefined defaults to the iframe's src, and "*" doesn't work.

I don't have a way to know the final url of the iframe. Is there another property I can use? (like name="...", or title="...")

KutnerUri commented 2 years ago

@Aaronius Please check PR #74 :)

Aaronius commented 2 years ago

Thanks for the contribution, @KutnerUri! I see your predicament and why you would want this feature. I want to make sure the security implications of not using https://symphony.bit.dev for childOrigin are considered. In this case, if an attacker were to be able to nefariously navigate the iframe to a nefarious URL, the page at the nefarious URL could spoof being a legitimate child and receive potentially sensitive information from your parent.

For example, if, inside your https://symphony.bit.dev/api/resolve/teambit.organization page, a nefarious attacker could make a link appear that others could click on (for example, if you failed to inadequately escape HTML in a message board comment), and that link navigates an unsuspecting user's iframe to a nefarious page, then the nefarious page could communicate with your parent window and start receiving communication.

Does that make sense? Would you be willing to accept that risk?

Aaronius commented 2 years ago

Considering your comments that followed on the pull request, I think you're willing to accept the risk in your case.

Thanks for your contribution, @KutnerUri! Released as v6.2.0.