third/dify-plus
1
0
Fork 0
mirror of https://github.com/YFGaia/dify-plus.git synced 2026-06-12 18:11:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(web): restrict postMessage targetOrigin from wildcard to specific origins (#30690)

Browse Source 
Co-authored-by: XW <wei.xu1@wiz.ai>
This commit is contained in:
xuwei95
2026-01-08 17:23:27 +08:00
committed by GitHub
parent cd1af04dee
commit b2cbeeae92
2 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/hooks/use-oauth.ts
+6 -3
View File
@@ -10,12 +10,15 @@ export const useOAuthCallback = () => {
const errorDescription = urlParams.get('error_description')
if (window.opener) {
// Use window.opener.origin instead of '*' for security
const targetOrigin = window.opener?.origin || '*'
if (subscriptionId) {
window.opener.postMessage({
type: 'oauth_callback',
success: true,
subscriptionId,
}, '*')
}, targetOrigin)
}
else if (error) {
window.opener.postMessage({
@@ -23,12 +26,12 @@ export const useOAuthCallback = () => {
success: false,
error,
errorDescription,
}, '*')
}, targetOrigin)
}
else {
window.opener.postMessage({
type: 'oauth_callback',
}, '*')
}, targetOrigin)
}
window.close()
}