Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(connect-popup): call method via URL params #14044

Draft
wants to merge 1 commit into
base: develop
Choose a base branch
from
Draft

feat(connect-popup): call method via URL params #14044

wants to merge 1 commit into from

Conversation

martykan
Copy link
Member

Description

This idea came from discussion about using deep links for Connect on mobile.
If we have a HTTPS URL for Connect, which is handled by deep linking into the app, it's a good idea to some fallback content if the user doesn't have the app installed and opens it in a browser.

So I prepared a POC to support this same deep linking flow with Connect Popup, that could be used for desktop.

With this change popup.html now supports the following URL parameters:

  • method - name of method that is called
  • params - JSON payload for the method
  • callback - URL to where the response is redirected

For example:

https://dev.suite.sldev.cz/connect/feat/connect-popup-via-url-params/popup.html?method=getAddress&params=%7B%22path%22:%22m/49%27/0%27/0%27/0/0%22%7D&callback=https://httpbin.org/get

@martykan martykan force-pushed the feat/connect-popup-via-url-params branch from 8a3b5c8 to a106f75 Compare August 30, 2024 13:41
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 30, 2024
View reviewed changes
packages/connect-popup/src/index.tsx
console.log('response', event.data);
const callback = urlParams.get('callback');
if (callback) {
location.href = `${callback}?response=${encodeURIComponent(JSON.stringify(event.data.payload))}`;

Check warning

Code scanning / CodeQL

Client-side URL redirect Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.
packages/connect-popup/src/index.tsx
console.log('response', event.data);
const callback = urlParams.get('callback');
if (callback) {
location.href = `${callback}?response=${encodeURIComponent(JSON.stringify(event.data.payload))}`;

Check failure

Code scanning / CodeQL

Client-side cross-site scripting High

Cross-site scripting vulnerability due to
user-provided value
Loading
.
@martykan martykan mentioned this pull request Sep 11, 2024
Closed
@martykan martykan mentioned this pull request Oct 18, 2024
Closed
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mroz22 mroz22 Awaiting requested review from mroz22 mroz22 will be requested when the pull request is marked ready for review mroz22 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@martykan