mirror of
				https://github.com/hakimel/reveal.js.git
				synced 2025-10-25 12:16:16 +02:00 
			
		
		
		
	new attempt at speaker view xss fix
This commit is contained in:
		
										
											
												File diff suppressed because one or more lines are too long
											
										
									
								
							
										
											
												File diff suppressed because one or more lines are too long
											
										
									
								
							| @@ -1,4 +1,4 @@ | ||||
| import speakerViewHTML from './speaker-view.html'; | ||||
| import speakerViewHTML from './speaker-view.html' | ||||
|  | ||||
| import { marked } from 'marked'; | ||||
|  | ||||
|   | ||||
| @@ -350,8 +350,9 @@ | ||||
| 					layoutDropdown, | ||||
| 					pendingCalls = {}, | ||||
| 					lastRevealApiCallId = 0, | ||||
| 					connected = false, | ||||
| 					whitelistedWindows = [window.opener]; | ||||
| 					connected = false | ||||
|  | ||||
| 				var connectionStatus = document.querySelector( '#connection-status' ); | ||||
|  | ||||
| 				var SPEAKER_LAYOUTS = { | ||||
| 					'default': 'Default', | ||||
| @@ -362,15 +363,29 @@ | ||||
|  | ||||
| 				setupLayout(); | ||||
|  | ||||
| 				var connectionStatus = document.querySelector( '#connection-status' ); | ||||
| 				let openerOrigin; | ||||
|  | ||||
| 				try { | ||||
| 					openerOrigin = window.opener.location.origin; | ||||
| 				} | ||||
| 				catch ( error ) { console.warn( error ) } | ||||
|  | ||||
| 				// In order to prevent XSS, the speaker view will only run if its | ||||
| 				// opener has the same origin as itself | ||||
| 				if( window.location.origin !== openerOrigin ) { | ||||
| 					connectionStatus.innerHTML = 'Cross origin error.<br>The speaker window can only be opened from the same origin.'; | ||||
| 					return; | ||||
| 				} | ||||
|  | ||||
| 				var connectionTimeout = setTimeout( function() { | ||||
| 					connectionStatus.innerHTML = 'Error connecting to main window.<br>Please try closing and reopening the speaker view.'; | ||||
| 				}, 5000 ); | ||||
| ; | ||||
| 				window.addEventListener( 'message', function( event ) { | ||||
|  | ||||
| 					// Validate the origin of this message to prevent XSS | ||||
| 					if( window.location.origin !== event.origin && whitelistedWindows.indexOf( event.source ) === -1 ) { | ||||
| 					// Validate the origin of all messages to avoid parsing messages | ||||
| 					// that aren't meant for us | ||||
| 					if( window.location.origin !== event.origin ) { | ||||
| 						return; | ||||
| 					} | ||||
|  | ||||
| @@ -539,8 +554,6 @@ | ||||
| 					upcomingSlide.setAttribute( 'src', upcomingURL ); | ||||
| 					document.querySelector( '#upcoming-slide' ).appendChild( upcomingSlide ); | ||||
|  | ||||
| 					whitelistedWindows.push( currentSlide.contentWindow, upcomingSlide.contentWindow ); | ||||
|  | ||||
| 				} | ||||
|  | ||||
| 				/** | ||||
|   | ||||
		Reference in New Issue
	
	Block a user