Skip to content

Commit

Permalink
fix(extension): LW-10206 fix trezor security vulnerabilities (#1023)
Browse files Browse the repository at this point in the history 
* fix(extension): fix trezor security vulnerabilities

* fix(extension): add missing types

---------

Co-authored-by: Szymon Masłowski <[email protected]>
  • Loading branch information
@tomislavhoracek @szymonmaslowski @wklos-iohk
2 people authored and wklos-iohk committed Apr 22, 2024
1 parent 20fdc13 commit f849f97
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 6 deletions.
2 changes: 2 additions & 0 deletions apps/browser-extension-wallet/src/lib/scripts/trezor/trezor-content-script.ts
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import { runtime } from 'webextension-polyfill';
import { AllowedOrigins } from './types';

// Communicate from background script to popup
let port = runtime.connect({ name: 'trezor-connect' });
Expand All @@ -12,6 +13,7 @@ port.onDisconnect.addListener(() => {

// communicate from popup to background script
window.addEventListener('message', (event) => {
if (event.origin !== AllowedOrigins.TREZOR_CONNECT) throw new Error('Origin not allowed');
if (port && event.source === window && event.data) {
port.postMessage({ data: event.data });
}
Expand Down
11 changes: 5 additions & 6 deletions apps/browser-extension-wallet/src/lib/scripts/trezor/trezor-usb-permissions.ts
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,5 @@
import { runtime, tabs } from 'webextension-polyfill';

// Handling messages from usb permissions iframe

const url = 'https://connect.trezor.io/8/';
import { AllowedOrigins } from './types';

/* Handling messages from usb permissions iframe */
const switchToPopupTab = async (event?: BeforeUnloadEvent) => {
Expand All @@ -21,13 +18,15 @@ const switchToPopupTab = async (event?: BeforeUnloadEvent) => {

// find tab by popup pattern and switch to it
const currentTabs = await tabs.query({
url: `${url}popup.html`
url: `${AllowedOrigins.TREZOR_CONNECT_POPUP_BASE_URL}/popup.html`
});
if (currentTabs.length < 0) return;
tabs.update(currentTabs[0].id, { active: true });
};

window.addEventListener('message', async (event) => {
if (event.origin !== AllowedOrigins.TREZOR_CONNECT) throw new Error('Origin not allowed');

if (event.data === 'usb-permissions-init') {
const iframe = document.querySelector('#trezor-usb-permissions');
if (!iframe || !(iframe instanceof HTMLIFrameElement)) {
Expand Down Expand Up @@ -55,7 +54,7 @@ window.addEventListener('load', () => {
instance.style.border = '0px';
instance.style.width = '100%';
instance.style.height = '100%';
instance.setAttribute('src', `${url}extension-permissions.html`);
instance.setAttribute('src', `${AllowedOrigins.TREZOR_CONNECT_POPUP_BASE_URL}/extension-permissions.html`);
instance.setAttribute('allow', 'usb');

if (document.body) {
Expand Down
4 changes: 4 additions & 0 deletions apps/browser-extension-wallet/src/lib/scripts/trezor/types.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
export enum AllowedOrigins {
TREZOR_CONNECT = 'https://connect.trezor.io',
TREZOR_CONNECT_POPUP_BASE_URL = 'https://connect.trezor.io/8'
}

0 comments on commit f849f97

Please sign in to comment.