From aee16c443195ff8ab2b0f5f5e8551e44895d48a1 Mon Sep 17 00:00:00 2001
From: toasted-nutbread <toasted-nutbread@users.noreply.github.com>
Date: Sun, 16 Feb 2020 23:41:17 -0500
Subject: [PATCH] Check origin on window messages

---
 ext/bg/js/settings/popup-preview-frame.js | 3 +++
 ext/bg/js/settings/popup-preview.js       | 8 +++++---
 ext/fg/js/popup.js                        | 3 ++-
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/ext/bg/js/settings/popup-preview-frame.js b/ext/bg/js/settings/popup-preview-frame.js
index e900d4e2..890b8c96 100644
--- a/ext/bg/js/settings/popup-preview-frame.js
+++ b/ext/bg/js/settings/popup-preview-frame.js
@@ -27,6 +27,7 @@ class SettingsPopupPreview {
         this.popupShown = false;
         this.themeChangeTimeout = null;
         this.textSource = null;
+        this._targetOrigin = chrome.runtime.getURL('/').replace(/\/$/, '');
     }
 
     static create() {
@@ -97,6 +98,8 @@ class SettingsPopupPreview {
     }
 
     onMessage(e) {
+        if (e.origin !== this._targetOrigin) { return; }
+
         const {action, params} = e.data;
         const handler = SettingsPopupPreview._messageHandlers.get(action);
         if (typeof handler !== 'function') { return; }
diff --git a/ext/bg/js/settings/popup-preview.js b/ext/bg/js/settings/popup-preview.js
index 0d20471e..d1d2ff5e 100644
--- a/ext/bg/js/settings/popup-preview.js
+++ b/ext/bg/js/settings/popup-preview.js
@@ -40,20 +40,22 @@ function showAppearancePreview() {
 
     window.wanakana.bind(text[0]);
 
+    const targetOrigin = chrome.runtime.getURL('/').replace(/\/$/, '');
+
     text.on('input', () => {
         const action = 'setText';
         const params = {text: text.val()};
-        frame.contentWindow.postMessage({action, params}, '*');
+        frame.contentWindow.postMessage({action, params}, targetOrigin);
     });
     customCss.on('input', () => {
         const action = 'setCustomCss';
         const params = {css: customCss.val()};
-        frame.contentWindow.postMessage({action, params}, '*');
+        frame.contentWindow.postMessage({action, params}, targetOrigin);
     });
     customOuterCss.on('input', () => {
         const action = 'setCustomOuterCss';
         const params = {css: customOuterCss.val()};
-        frame.contentWindow.postMessage({action, params}, '*');
+        frame.contentWindow.postMessage({action, params}, targetOrigin);
     });
 
     container.append(frame);
diff --git a/ext/fg/js/popup.js b/ext/fg/js/popup.js
index 59c46ab8..900e7325 100644
--- a/ext/fg/js/popup.js
+++ b/ext/fg/js/popup.js
@@ -33,6 +33,7 @@ class Popup {
         this._options = null;
         this._contentScale = 1.0;
         this._containerSizeContentScale = null;
+        this._targetOrigin = chrome.runtime.getURL('/').replace(/\/$/, '');
 
         this._container = document.createElement('iframe');
         this._container.className = 'yomichan-float';
@@ -349,7 +350,7 @@ class Popup {
 
     _invokeApi(action, params={}) {
         if (this._container.contentWindow) {
-            this._container.contentWindow.postMessage({action, params}, '*');
+            this._container.contentWindow.postMessage({action, params}, this._targetOrigin);
         }
     }