Add defensive checks in IFrameWindow.js callback

IdentityModel / oidc-client-js

OpenID Connect (OIDC) and OAuth2 protocol support for browser-based JavaScript applications

Apache License 2.0

2.43k stars 840 forks source link

Add defensive checks in IFrameWindow.js callback #1223

Closed paulmowat closed 3 years ago

paulmowat commented 4 years ago

Added in some checks into IFrameWindow.js _message function to verify that e.data is a string and begins with http/https to ensure it's a URL as expected.

Helps resolve #1221

brockallen commented 3 years ago

Glad you got the plug in fixed, but I still think this check doesn't hurt. Thanks!