Fix: Improve window.top postMessage interception #7
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit addresses an issue where `postMessage` calls involving `window.top` might not be reliably intercepted and `event.source` could be misidentified.
Key changes in `WindowScript.js`:
- Implemented a global proxy for `Window.prototype.postMessage` to ensure broader interception coverage.
- Added specific logic to attempt to apply this proxy directly to `window.top.postMessage` if it hasn't been covered by the prototype chain modification, with error handling for potential cross-origin restrictions.
- Introduced a Symbol (`Symbol.for('postLoggerHandled')`) for deduplication to prevent logging the same message multiple times if it passes through various hooks.
- Refined how `postMessage` is hooked in the `handle` function and for `MessagePort.prototype.postMessage` to incorporate the deduplication logic.
Updated `security.md`:
- Documented the enhanced `postMessage` interception capabilities, including the focus on `window.top`.
- Added notes on the deduplication mechanism.
- Included considerations regarding browser security limitations when interacting with a cross-origin `window.top`.
These changes aim to make the extension more robust in capturing and correctly identifying the source of `postMessage` events, especially in complex frame hierarchies involving `window.top`.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit addresses an issue where
postMessagecalls involvingwindow.topmight not be reliably intercepted andevent.sourcecould be misidentified.Key changes in
WindowScript.js:Window.prototype.postMessageto ensure broader interception coverage.window.top.postMessageif it hasn't been covered by the prototype chain modification, with error handling for potential cross-origin restrictions.Symbol.for('postLoggerHandled')) for deduplication to prevent logging the same message multiple times if it passes through various hooks.postMessageis hooked in thehandlefunction and forMessagePort.prototype.postMessageto incorporate the deduplication logic.Updated
security.md:postMessageinterception capabilities, including the focus onwindow.top.window.top.These changes aim to make the extension more robust in capturing and correctly identifying the source of
postMessageevents, especially in complex frame hierarchies involvingwindow.top.