From 3255484535bff51f3f213769186082eba743d5d6 Mon Sep 17 00:00:00 2001
From: Chaitanya Potti <chaitanya.potti@gmail.com>
Date: Wed, 1 Sep 2021 20:09:27 +0800
Subject: [PATCH 1/3] Fix insecure iframe messaging

---
 src/transports/PostMessageIframeTransport.ts | 5 +++--
 src/transports/PostMessageWindowTransport.ts | 3 ++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/transports/PostMessageIframeTransport.ts b/src/transports/PostMessageIframeTransport.ts
index 8b3f91d..f7a7c91 100644
--- a/src/transports/PostMessageIframeTransport.ts
+++ b/src/transports/PostMessageIframeTransport.ts
@@ -28,7 +28,8 @@ class PostMessageIframeTransport extends Transport {
     });
   }
   private messageHandler = (ev: MessageEvent) => {
-    this.transportRequestManager.resolveResponse(JSON.stringify(ev.data));
+    if (ev.origin === this.uri)
+      this.transportRequestManager.resolveResponse(JSON.stringify(ev.data));
   }
   public connect(): Promise<any> {
     const urlRegex = /^(http|https):\/\/.*$/;
@@ -46,7 +47,7 @@ class PostMessageIframeTransport extends Transport {
     const prom = this.transportRequestManager.addRequest(data, null);
     const notifications = getNotifications(data);
     if (this.frame) {
-      this.frame.postMessage((data as IJSONRPCData).request, "*");
+      this.frame.postMessage((data as IJSONRPCData).request, this.uri);
       this.transportRequestManager.settlePendingRequest(notifications);
     }
     return prom;
diff --git a/src/transports/PostMessageWindowTransport.ts b/src/transports/PostMessageWindowTransport.ts
index 1ad2fbb..ab1c6f9 100644
--- a/src/transports/PostMessageWindowTransport.ts
+++ b/src/transports/PostMessageWindowTransport.ts
@@ -36,7 +36,8 @@ class PostMessageTransport extends Transport {
   }
 
   private messageHandler = (ev: MessageEvent) => {
-    this.transportRequestManager.resolveResponse(JSON.stringify(ev.data));
+    if (ev.origin === this.uri)
+      this.transportRequestManager.resolveResponse(JSON.stringify(ev.data));
   }
 
   public connect(): Promise<any> {

From ededac842365821fd67a3847ffe74b4b542bc060 Mon Sep 17 00:00:00 2001
From: Chaitanya Potti <chaitanya.potti@gmail.com>
Date: Sat, 4 Sep 2021 17:13:02 +0800
Subject: [PATCH 2/3] use origin parameter instead of uri to account for path,
 query, hash etc

---
 src/transports/PostMessageIframeTransport.ts | 6 ++++--
 src/transports/PostMessageWindowTransport.ts | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/transports/PostMessageIframeTransport.ts b/src/transports/PostMessageIframeTransport.ts
index f7a7c91..7aec503 100644
--- a/src/transports/PostMessageIframeTransport.ts
+++ b/src/transports/PostMessageIframeTransport.ts
@@ -5,10 +5,12 @@ class PostMessageIframeTransport extends Transport {
   public uri: string;
   public frame: undefined | null | Window;
   public postMessageID: string;
+  public origin: string;
 
   constructor(uri: string) {
     super();
     this.uri = uri;
+    this.origin = new URL(uri).origin;
     this.postMessageID = `post-message-transport-${Math.random()}`;
   }
   public createWindow(uri: string): Promise<Window | null> {
@@ -28,7 +30,7 @@ class PostMessageIframeTransport extends Transport {
     });
   }
   private messageHandler = (ev: MessageEvent) => {
-    if (ev.origin === this.uri)
+    if (ev.origin === this.origin)
       this.transportRequestManager.resolveResponse(JSON.stringify(ev.data));
   }
   public connect(): Promise<any> {
@@ -47,7 +49,7 @@ class PostMessageIframeTransport extends Transport {
     const prom = this.transportRequestManager.addRequest(data, null);
     const notifications = getNotifications(data);
     if (this.frame) {
-      this.frame.postMessage((data as IJSONRPCData).request, this.uri);
+      this.frame.postMessage((data as IJSONRPCData).request, this.origin);
       this.transportRequestManager.settlePendingRequest(notifications);
     }
     return prom;
diff --git a/src/transports/PostMessageWindowTransport.ts b/src/transports/PostMessageWindowTransport.ts
index ab1c6f9..e3f4db8 100644
--- a/src/transports/PostMessageWindowTransport.ts
+++ b/src/transports/PostMessageWindowTransport.ts
@@ -18,10 +18,12 @@ class PostMessageTransport extends Transport {
   public uri: string;
   public frame: undefined | null | Window;
   public postMessageID: string;
+  public origin: string;
 
   constructor(uri: string) {
     super();
     this.uri = uri;
+    this.origin = new URL(uri).origin;
     this.postMessageID = `post-message-transport-${Math.random()}`;
   }
 
@@ -36,7 +38,7 @@ class PostMessageTransport extends Transport {
   }
 
   private messageHandler = (ev: MessageEvent) => {
-    if (ev.origin === this.uri)
+    if (ev.origin === this.origin)
       this.transportRequestManager.resolveResponse(JSON.stringify(ev.data));
   }
 
@@ -56,7 +58,7 @@ class PostMessageTransport extends Transport {
     const prom = this.transportRequestManager.addRequest(data, null);
     const notifications = getNotifications(data);
     if (this.frame) {
-      this.frame.postMessage((data as IJSONRPCData).request, this.uri);
+      this.frame.postMessage((data as IJSONRPCData).request, this.origin);
       this.transportRequestManager.settlePendingRequest(notifications);
     }
     return prom;

From 5b07385040d367b3ccbadd71b4f60de8dba72ff5 Mon Sep 17 00:00:00 2001
From: Chaitanya Potti <chaitanya.potti@gmail.com>
Date: Mon, 6 Sep 2021 17:10:45 +0800
Subject: [PATCH 3/3] add origin as ctor parameter

---
 src/transports/PostMessageIframeTransport.ts | 4 ++--
 src/transports/PostMessageWindowTransport.ts | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/transports/PostMessageIframeTransport.ts b/src/transports/PostMessageIframeTransport.ts
index 7aec503..b051c1b 100644
--- a/src/transports/PostMessageIframeTransport.ts
+++ b/src/transports/PostMessageIframeTransport.ts
@@ -7,10 +7,10 @@ class PostMessageIframeTransport extends Transport {
   public postMessageID: string;
   public origin: string;
 
-  constructor(uri: string) {
+  constructor(uri: string, origin?: string) {
     super();
     this.uri = uri;
-    this.origin = new URL(uri).origin;
+    this.origin = origin || new URL(uri).origin;
     this.postMessageID = `post-message-transport-${Math.random()}`;
   }
   public createWindow(uri: string): Promise<Window | null> {
diff --git a/src/transports/PostMessageWindowTransport.ts b/src/transports/PostMessageWindowTransport.ts
index e3f4db8..2f53e40 100644
--- a/src/transports/PostMessageWindowTransport.ts
+++ b/src/transports/PostMessageWindowTransport.ts
@@ -20,10 +20,10 @@ class PostMessageTransport extends Transport {
   public postMessageID: string;
   public origin: string;
 
-  constructor(uri: string) {
+  constructor(uri: string, origin?: string) {
     super();
     this.uri = uri;
-    this.origin = new URL(uri).origin;
+    this.origin = origin || new URL(uri).origin;
     this.postMessageID = `post-message-transport-${Math.random()}`;
   }