Open liusong1111 opened 4 years ago
https://github.com/rebase-network/synapse-extension/blob/af0985a81b5a6d578b3605bb459b4487283ffab4/src/contentScript/inject/injectedScript.ts#L39
window.postMessage(requestMessage, '*');
* means no origin restriction, which may cause leaky information.
*
https://github.com/rebase-network/synapse-extension/blob/af0985a81b5a6d578b3605bb459b4487283ffab4/src/contentScript/contentScript.ts#L42
Maybe window.location.origin is enough?
window.location.origin
https://github.com/rebase-network/synapse-extension/blob/af0985a81b5a6d578b3605bb459b4487283ffab4/src/contentScript/contentScript.ts#L50
onmessage should also check origin?
onmessage
Refs: https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
https://owasp.org/www-chapter-london/assets/slides/OWASPLondon_PostMessage_Security_in_Chrome_Extensions.pdf
https://labs.detectify.com/2016/12/08/the-pitfalls-of-postmessage/
https://github.com/rebase-network/synapse-extension/blob/af0985a81b5a6d578b3605bb459b4487283ffab4/src/contentScript/inject/injectedScript.ts#L39
*
means no origin restriction, which may cause leaky information.https://github.com/rebase-network/synapse-extension/blob/af0985a81b5a6d578b3605bb459b4487283ffab4/src/contentScript/contentScript.ts#L42
Maybe
window.location.origin
is enough?https://github.com/rebase-network/synapse-extension/blob/af0985a81b5a6d578b3605bb459b4487283ffab4/src/contentScript/contentScript.ts#L50
onmessage
should also check origin?Refs: https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
https://owasp.org/www-chapter-london/assets/slides/OWASPLondon_PostMessage_Security_in_Chrome_Extensions.pdf
https://labs.detectify.com/2016/12/08/the-pitfalls-of-postmessage/