From eff70733c9e84c41798d9200266be44e5a08eb0b Mon Sep 17 00:00:00 2001
From: Andrej Golcov <andrej@digiverse.com>
Date: Tue, 19 May 2015 12:55:37 +0200
Subject: [PATCH] adding support of array for checkOrigin parameter of
 iframeResizer

---
 README.md            |  4 ++--
 src/iframeResizer.js | 29 ++++++++++++++++++++++++-----
 2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index c2b063ec2..b32a54fac 100644
--- a/README.md
+++ b/README.md
@@ -82,9 +82,9 @@ Override the default body margin style in the iFrame. A string can be any valid
 ### checkOrigin
 
 	default: true
-	type:    boolean
+	type:    boolean || array
 
-When set to true, only allow incoming messages from the domain listed in the `src` property of the iFrame tag. If your iFrame navigates between different domains, ports or protocols; then you will need to disable this option.
+When set to true, only allow incoming messages from the domain listed in the `src` property of the iFrame tag. If your iFrame navigates between different domains, ports or protocols; then you will need to provide an array of domains or disable this option.
 
 ### enableInPageLinks
 
diff --git a/src/iframeResizer.js b/src/iframeResizer.js
index 411474f58..6ec7330eb 100644
--- a/src/iframeResizer.js
+++ b/src/iframeResizer.js
@@ -166,20 +166,39 @@
 			messageData[dimension]=''+size;
 		}
 
+		function checkAllowedOrigin(origin,checkOrigin,remoteHost){
+			function checkList(){
+				log(' Checking connection is from list of origins: ' + checkOrigin);
+				var i;
+				for (i = 0; i < checkOrigin.length; i++) {
+					if (checkOrigin[i] === origin) {
+						return true;
+					}
+				}
+				return false;
+			}
+
+			function checkSingle(){
+				log(' Checking connection is from: '+remoteHost);
+				return origin == remoteHost;
+			}
+
+			return checkOrigin.constructor === Array ? checkList() : checkSingle();
+		}
+
 		function isMessageFromIFrame(){
 			var
 				origin     = event.origin,
 				remoteHost = messageData.iframe.src.split('/').slice(0,3).join('/');
 
-			if (settings[iframeID].checkOrigin) {
-				log(' Checking connection is from: '+remoteHost);
-
-				if ((''+origin !== 'null') && (origin !== remoteHost)) {
+			var checkOrigin = settings[iframeID].checkOrigin;
+			if (checkOrigin) {
+				if ((''+origin !== 'null') && !checkAllowedOrigin(origin,checkOrigin,remoteHost)) {
 					throw new Error(
 						'Unexpected message received from: ' + origin +
 						' for ' + messageData.iframe.id +
 						'. Message was: ' + event.data +
-						'. This error can be disabled by adding the checkOrigin: false option.'
+						'. This error can be disabled by adding the checkOrigin: false option or providing of array of trusted domains.'
 					);
 				}
 			}