From 34f9404959f5c47df56820628860fb31176ba51c Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Fri, 9 Aug 2024 13:59:48 +0100 Subject: [PATCH 1/3] Soften UIA fallback postMessage check to work cross-origin Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- src/components/views/auth/InteractiveAuthEntryComponents.tsx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/components/views/auth/InteractiveAuthEntryComponents.tsx b/src/components/views/auth/InteractiveAuthEntryComponents.tsx index 7bed60d6037..f9572399017 100644 --- a/src/components/views/auth/InteractiveAuthEntryComponents.tsx +++ b/src/components/views/auth/InteractiveAuthEntryComponents.tsx @@ -950,7 +950,9 @@ export class FallbackAuthEntry extends React.Component { }; private onReceiveMessage = (event: MessageEvent): void => { - if (event.data === "authDone" && event.origin === this.props.matrixClient.getHomeserverUrl()) { + // We don't check the origin here as we don't trust any incoming data and just use it as a ping to retry the request, + // and the HS may delegate the fallback to another origin, due to CORS we cannot inspect the origin of the popupWindow. + if (event.data === "authDone") { this.props.submitAuthDict({}); } }; From 0b64177b7a03cc8180a739102003f8bd94b5b7f2 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Wed, 14 Aug 2024 10:31:00 +0100 Subject: [PATCH 2/3] Do the same for the SSO UIA flow Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- src/components/views/auth/InteractiveAuthEntryComponents.tsx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/components/views/auth/InteractiveAuthEntryComponents.tsx b/src/components/views/auth/InteractiveAuthEntryComponents.tsx index f9572399017..de609f0f987 100644 --- a/src/components/views/auth/InteractiveAuthEntryComponents.tsx +++ b/src/components/views/auth/InteractiveAuthEntryComponents.tsx @@ -833,7 +833,9 @@ export class SSOAuthEntry extends React.Component { - if (event.data === "authDone" && event.origin === this.props.matrixClient.getHomeserverUrl()) { + // We don't check the origin here as we don't trust any incoming data and just use it as a ping to retry the request, + // and the HS may delegate the fallback to another origin, due to CORS we cannot inspect the origin of the popupWindow. + if (event.data === "authDone") { if (this.popupWindow) { this.popupWindow.close(); this.popupWindow = null; From 974f12ac6f44a1eb32a35e0a914cf6e5892a42c6 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Thu, 15 Aug 2024 11:04:57 +0100 Subject: [PATCH 3/3] Check against MessageEvent::source instead Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .../views/auth/InteractiveAuthEntryComponents.tsx | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/components/views/auth/InteractiveAuthEntryComponents.tsx b/src/components/views/auth/InteractiveAuthEntryComponents.tsx index de609f0f987..d54b52c1a0f 100644 --- a/src/components/views/auth/InteractiveAuthEntryComponents.tsx +++ b/src/components/views/auth/InteractiveAuthEntryComponents.tsx @@ -833,9 +833,7 @@ export class SSOAuthEntry extends React.Component { - // We don't check the origin here as we don't trust any incoming data and just use it as a ping to retry the request, - // and the HS may delegate the fallback to another origin, due to CORS we cannot inspect the origin of the popupWindow. - if (event.data === "authDone") { + if (event.data === "authDone" && event.source === this.popupWindow) { if (this.popupWindow) { this.popupWindow.close(); this.popupWindow = null; @@ -952,9 +950,7 @@ export class FallbackAuthEntry extends React.Component { }; private onReceiveMessage = (event: MessageEvent): void => { - // We don't check the origin here as we don't trust any incoming data and just use it as a ping to retry the request, - // and the HS may delegate the fallback to another origin, due to CORS we cannot inspect the origin of the popupWindow. - if (event.data === "authDone") { + if (event.data === "authDone" && event.source === this.popupWindow) { this.props.submitAuthDict({}); } };