mirror of
				https://github.com/hakimel/reveal.js.git
				synced 2025-10-25 12:16:16 +02:00 
			
		
		
		
	new attempt at speaker view xss fix
This commit is contained in:
		
										
											
												File diff suppressed because one or more lines are too long
											
										
									
								
							
										
											
												File diff suppressed because one or more lines are too long
											
										
									
								
							| @@ -1,4 +1,4 @@ | |||||||
| import speakerViewHTML from './speaker-view.html'; | import speakerViewHTML from './speaker-view.html' | ||||||
|  |  | ||||||
| import { marked } from 'marked'; | import { marked } from 'marked'; | ||||||
|  |  | ||||||
|   | |||||||
| @@ -350,8 +350,9 @@ | |||||||
| 					layoutDropdown, | 					layoutDropdown, | ||||||
| 					pendingCalls = {}, | 					pendingCalls = {}, | ||||||
| 					lastRevealApiCallId = 0, | 					lastRevealApiCallId = 0, | ||||||
| 					connected = false, | 					connected = false | ||||||
| 					whitelistedWindows = [window.opener]; |  | ||||||
|  | 				var connectionStatus = document.querySelector( '#connection-status' ); | ||||||
|  |  | ||||||
| 				var SPEAKER_LAYOUTS = { | 				var SPEAKER_LAYOUTS = { | ||||||
| 					'default': 'Default', | 					'default': 'Default', | ||||||
| @@ -362,15 +363,29 @@ | |||||||
|  |  | ||||||
| 				setupLayout(); | 				setupLayout(); | ||||||
|  |  | ||||||
| 				var connectionStatus = document.querySelector( '#connection-status' ); | 				let openerOrigin; | ||||||
|  |  | ||||||
|  | 				try { | ||||||
|  | 					openerOrigin = window.opener.location.origin; | ||||||
|  | 				} | ||||||
|  | 				catch ( error ) { console.warn( error ) } | ||||||
|  |  | ||||||
|  | 				// In order to prevent XSS, the speaker view will only run if its | ||||||
|  | 				// opener has the same origin as itself | ||||||
|  | 				if( window.location.origin !== openerOrigin ) { | ||||||
|  | 					connectionStatus.innerHTML = 'Cross origin error.<br>The speaker window can only be opened from the same origin.'; | ||||||
|  | 					return; | ||||||
|  | 				} | ||||||
|  |  | ||||||
| 				var connectionTimeout = setTimeout( function() { | 				var connectionTimeout = setTimeout( function() { | ||||||
| 					connectionStatus.innerHTML = 'Error connecting to main window.<br>Please try closing and reopening the speaker view.'; | 					connectionStatus.innerHTML = 'Error connecting to main window.<br>Please try closing and reopening the speaker view.'; | ||||||
| 				}, 5000 ); | 				}, 5000 ); | ||||||
| ; | ; | ||||||
| 				window.addEventListener( 'message', function( event ) { | 				window.addEventListener( 'message', function( event ) { | ||||||
|  |  | ||||||
| 					// Validate the origin of this message to prevent XSS | 					// Validate the origin of all messages to avoid parsing messages | ||||||
| 					if( window.location.origin !== event.origin && whitelistedWindows.indexOf( event.source ) === -1 ) { | 					// that aren't meant for us | ||||||
|  | 					if( window.location.origin !== event.origin ) { | ||||||
| 						return; | 						return; | ||||||
| 					} | 					} | ||||||
|  |  | ||||||
| @@ -539,8 +554,6 @@ | |||||||
| 					upcomingSlide.setAttribute( 'src', upcomingURL ); | 					upcomingSlide.setAttribute( 'src', upcomingURL ); | ||||||
| 					document.querySelector( '#upcoming-slide' ).appendChild( upcomingSlide ); | 					document.querySelector( '#upcoming-slide' ).appendChild( upcomingSlide ); | ||||||
|  |  | ||||||
| 					whitelistedWindows.push( currentSlide.contentWindow, upcomingSlide.contentWindow ); |  | ||||||
|  |  | ||||||
| 				} | 				} | ||||||
|  |  | ||||||
| 				/** | 				/** | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user