sessionCheckEventListener should only call this.debug('got info from session check inframe', e) if origin is correct #616
Labels
Comments
jeroenheijmans
added
bug
|
Makes sense. PR looks good to me. Thanks! 👍 |
|
@manfredsteyer @jeroenheijmans is this project still being maintained? Could you please review and merge outstanding PRs like this and release a new version? Do you need any help? |
|
I moderate issues and tend to post insights on PRs if I have any. At the moment I don't do merging, releasing, etc. AFAIK Manfred does so only whenever a new major Angular version comes out. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Currently the
setupSessionCheckEventListener()function logs ALL the events posted withwindow.postMessage():angular-oauth2-oidc/projects/lib/src/oauth-service.ts
Line 1046 in 01b4f20
While this might make sense for events received from the session check frame, this makes absolutely no sense for messages received from other origins.
For example, in my application we use
window.postMessage()for communication between iframes a lot. All the messages that are received from other sources (not from the session check frame) should be simply ignored by the oidc library.This could have been not a huge issue, but since we're logging the whole event object (including all the source and target data), this leads to a huge memory leak. When the source iframe is detached from the DOM, it should be destroyed, but since a reference to its contentWindow is contained in the console now, the contentWindow cannot be garbage collected, so the whole iframe element is retained in memory.
The text was updated successfully, but these errors were encountered: