Slightly more flexible iframe origin checking

2025-04-26 14:03:28 -04:00 · 2016-07-15 11:19:22 -07:00 · 2016-07-15 11:19:22 -07:00 · 5a688e42c7
commit 5a688e42c7
parent 1e640fb74c
2 changed files with 11 additions and 6 deletions
--- a/app/assets/javascripts/web-dev-listener.js
+++ b/app/assets/javascripts/web-dev-listener.js
@ -7,15 +7,20 @@ var virtualDOM;
 var goalStates;

 var allowedOrigins = [
-    'https://codecombat.com',
-    'http://localhost:3000',
-    'http://direct.codecombat.com',
-    'http://staging.codecombat.com'
+    /https:\/\/codecombat\.com/,
+    /http:\/\/localhost:3000/,
+    /http:\/\/direct\.codecombat\.com/,
+    /http:\/\/staging\.codecombat\.com/,
+    /http:\/\/codecombat-staging-codecombat\.runnableapp\.com/,
 ];

 function receiveMessage(event) {
    var origin = event.origin || event.originalEvent.origin; // For Chrome, the origin property is in the event.originalEvent object.
-    if (allowedOrigins.indexOf(origin) == -1) {
+    var allowed = false;
+    allowedOrigins.forEach(function(pattern) {
+	allowed = allowed || pattern.test(origin);
+    });
+    if (!allowed) {
        console.log('Ignoring message from bad origin:', origin);
        return;
    }
--- a/app/views/play/level/WebSurfaceView.coffee
+++ b/app/views/play/level/WebSurfaceView.coffee
@ -50,7 +50,7 @@ module.exports = class WebSurfaceView extends CocoView

  onIframeMessage: (e) =>
    origin = e.origin or e.originalEvent.origin
-    unless origin in ['https://codecombat.com', 'http://localhost:3000']
+    unless origin is window.location.origin
      return console.log 'Ignoring message from bad origin:', origin
    unless event.source is @iframe.contentWindow
      return console.log 'Ignoring message from somewhere other than our iframe:', event.source