Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Silent refresh event listener does not check messages for origin #1354

Open
tobiashort opened this issue Aug 22, 2023 · 0 comments · May be fixed by #1447
Open

Silent refresh event listener does not check messages for origin #1354

tobiashort opened this issue Aug 22, 2023 · 0 comments · May be fixed by #1447

Comments

@tobiashort
Copy link

Describe the bug
Related to: #1138
Event listener process login operation without checking the origin of message. It is a potential vulnerability issue.
The origin is checked. If it does not match it logs an error but still continues.

Code location: oauth-service.ts —> setupSilentRefreshEventListener
image

Expected behavior
setupSilentRefreshEventListener should check the message origin and do try login only if message origin is expected origin.

Explanation
https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#security_concerns
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@tobiashort