Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dynamic iframe url #73

Closed
KutnerUri opened this issue Oct 12, 2021 · 3 comments · Fixed by #74
Closed

dynamic iframe url #73

KutnerUri opened this issue Oct 12, 2021 · 3 comments · Fixed by #74

Comments

@KutnerUri
Copy link
Contributor

I'm using an iframe that includes redirects as part of it's setup, and I'm getting this error:

[Penpal] Parent: Handshake - Received SYN message from origin https://m73gees.scopes.teambit.dev which did not match expected origin https://symphony.bit.dev

The setup goes something like this:

----> https://symphony.bit.dev/api/resolve/teambit.organization
      (backend logic)

<---- redirect 302 to https://m73gees.scopes.teambit.dev
      (iframe redirects)

----> https://m73gees.scopes.teambit.dev

      getting SYN from m73gees.scopes.teambit.dev
(err) "did not match expected origin"

I wanted to disable the childOrigin check, but it does not seem to be possible. Leaving it as "" or undefined defaults to the iframe's src, and "*" doesn't work.

I don't have a way to know the final url of the iframe. Is there another property I can use? (like name="...", or title="...")
@KutnerUri KutnerUri mentioned this issue Oct 12, 2021
Merged
@KutnerUri
Copy link
Contributor Author

KutnerUri commented Oct 12, 2021
edited
Loading

@Aaronius Please check PR #74 :)

@Aaronius
Copy link
Owner

Thanks for the contribution, @KutnerUri! I see your predicament and why you would want this feature. I want to make sure the security implications of not using https://symphony.bit.dev for childOrigin are considered. In this case, if an attacker were to be able to nefariously navigate the iframe to a nefarious URL, the page at the nefarious URL could spoof being a legitimate child and receive potentially sensitive information from your parent.

For example, if, inside your https://symphony.bit.dev/api/resolve/teambit.organization page, a nefarious attacker could make a link appear that others could click on (for example, if you failed to inadequately escape HTML in a message board comment), and that link navigates an unsuspecting user's iframe to a nefarious page, then the nefarious page could communicate with your parent window and start receiving communication.

Does that make sense? Would you be willing to accept that risk?

@Aaronius
Copy link
Owner

Considering your comments that followed on the pull request, I think you're willing to accept the risk in your case.

Thanks for your contribution, @KutnerUri! Released as v6.2.0.

@scottanderson42 scottanderson42 mentioned this issue Nov 14, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

false childOrigin to skip origin check KutnerUri/penpal
2 participants
@Aaronius @KutnerUri