Use postMessage instead of directly making API calls in the overlay iframe. #13446
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tsteur
reviewed
Sep 18, 2018
| @@ -139,6 +144,7 @@ var Piwik_Overlay = (function () { | |||
| function hashChangeCallback(urlHash) { | |||
| var location = getOverlayLocationFromHash(urlHash); | |||
| location = Overlay_Helper.decodeFrameUrl(location); | |||
| iframeOrigin = location.match(DOMAIN_PARSE_REGEX)[0]; | |||
There was a problem hiding this comment.
can we be sure there will be an entry with index [0]?
tsteur
reviewed
Sep 18, 2018
| var url = decodeURIComponent(strData[2]); | ||
|
|
||
| var params = broadcast.getValuesFromUrl(url); | ||
|
|
There was a problem hiding this comment.
Can we here only allow specific API methods needed for overlay to increase the security?
tsteur
reviewed
Sep 18, 2018
| iframeDomain = currentUrl.match(/http(s)?:\/\/(www\.)?([^\/]*)/i)[3]; | ||
| var m = currentUrl.match(DOMAIN_PARSE_REGEX); | ||
| iframeDomain = m[3]; | ||
| iframeOrigin = m[0]; |
There was a problem hiding this comment.
I presume an attacker cannot set a different iframeOrigin to her or his liking? eg by crafting a url that matches the regex etc... Also m[0] and m[3] might not be defined for whatever reason... might need to add some check there to make sure they are set...
I'm thinking would it be possible for additional security to only accept origins of configured siteURLs? I think this check is done so far maybe in the twig but not sure if in JS
|
@tsteur Updated. |
|
LGTM if tests pass |
InfinityVoid
pushed a commit
to InfinityVoid/matomo
that referenced
this pull request
Oct 11, 2018
…frame. (matomo-org#13446) * Use postMessage instead of directly making API calls in the overlay iframe. * Make sure it will work when Matomo is on a subfolder. * Increase overlay security with domain and method whitelists. * Try to fix UI test. * Fix tests + UI test blacklist check. * broadcast.getValuesFromUrl does not decode URL params.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fix replaces #13420 as we noticed some other issues in Overlay when reviewing it.
Fixes #13406