Skip to content

Commit

Permalink
Parent origin whitelist for h5p-postmessage.
Browse files Browse the repository at this point in the history
See #3364.
  • Loading branch information
boonebgorges committed Aug 6, 2024
1 parent 712173f commit bec620a
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 0 deletions.
6 changes: 6 additions & 0 deletions wp-content/plugins/h5p-postmessage/assets/src/frontend.js
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,12 @@
return;
}

const { allowedDomains } = window.h5pPostMessageData;

if ( ! allowedDomains.includes( window.parent.origin ) ) {
return;
}

window.parent.postMessage( postMessageData, '*' );
});
})();
13 changes: 13 additions & 0 deletions wp-content/plugins/h5p-postmessage/h5p-postmessage.php
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,19 @@ function( &$tags ) {
plugin_dir_url( __FILE__ ) . 'build/frontend.js'
);

// Default to the current domain only.
$url_parts = wp_parse_url( get_site_url() );
$allowed_domains = [ $url_parts['scheme'] . '://' . $url_parts['host'] ];

$data = [
'allowedDomains' => apply_filters( 'h5p_postmessage_allowed_domains', $allowed_domains ),
];

$tags[] = sprintf(
'<script>var h5pPostMessageData = %s;</script>',
wp_json_encode( $data )
);

return $tags;
}
);

0 comments on commit bec620a

Please sign in to comment.