Skip to content

Commit

Permalink
prevent DDOS, add security around window messaging
Browse files Browse the repository at this point in the history
  • Loading branch information
Glench committed Jun 25, 2021
1 parent 6a003ba commit 48e7c04
Show file tree
Hide file tree
Showing 6 changed files with 61 additions and 11 deletions.
14 changes: 12 additions & 2 deletions ExtPay.dev.js
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,11 @@ import * as browser from 'webextension-polyfill';
// and pass it on to the background page to query if the user has paid.
if (typeof window !== 'undefined') {
window.addEventListener('message', (event) => {
if (event.origin !== 'http://localhost:3000') return;
if (event.source != window) return;
browser.runtime.sendMessage(event.data) // event.data === 'fetch-user'
if (event.data === 'fetch-user') {
browser.runtime.sendMessage(event.data)
}
}, false);
}

Expand Down Expand Up @@ -190,14 +193,21 @@ You can copy and paste this to your manifest.json file to fix this error:
}


var polling = false;
async function poll_user() {
// keep trying to fetch user in case stripe webhook is late
if (polling) return;
polling = true;
var user = await fetch_user()
for (var i=0; i < 2*60; ++i) {
if (user.paidAt) return user;
if (user.paidAt) {
polling = false;
return user;
}
await timeout(1000)
user = await fetch_user()
}
polling = false;
}

browser.runtime.onMessage.addListener(function(message, sender, send_response) {
Expand Down
14 changes: 12 additions & 2 deletions dist/ExtPay.common.js
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,11 @@ var browser = require('webextension-polyfill');
// and pass it on to the background page to query if the user has paid.
if (typeof window !== 'undefined') {
window.addEventListener('message', (event) => {
if (event.origin !== 'https://extensionpay.com') return;
if (event.source != window) return;
browser.runtime.sendMessage(event.data); // event.data === 'fetch-user'
if (event.data === 'fetch-user') {
browser.runtime.sendMessage(event.data);
}
}, false);
}

Expand Down Expand Up @@ -190,14 +193,21 @@ You can copy and paste this to your manifest.json file to fix this error:
}


var polling = false;
async function poll_user() {
// keep trying to fetch user in case stripe webhook is late
if (polling) return;
polling = true;
var user = await fetch_user();
for (var i=0; i < 2*60; ++i) {
if (user.paidAt) return user;
if (user.paidAt) {
polling = false;
return user;
}
await timeout(1000);
user = await fetch_user();
}
polling = false;
}

browser.runtime.onMessage.addListener(function(message, sender, send_response) {
Expand Down
14 changes: 12 additions & 2 deletions dist/ExtPay.js
Original file line number Diff line number Diff line change
Expand Up @@ -1238,8 +1238,11 @@ var ExtPay = (function () {
// and pass it on to the background page to query if the user has paid.
if (typeof window !== 'undefined') {
window.addEventListener('message', (event) => {
if (event.origin !== 'https://extensionpay.com') return;
if (event.source != window) return;
browserPolyfill.runtime.sendMessage(event.data); // event.data === 'fetch-user'
if (event.data === 'fetch-user') {
browserPolyfill.runtime.sendMessage(event.data);
}
}, false);
}

Expand Down Expand Up @@ -1419,14 +1422,21 @@ You can copy and paste this to your manifest.json file to fix this error:
}


var polling = false;
async function poll_user() {
// keep trying to fetch user in case stripe webhook is late
if (polling) return;
polling = true;
var user = await fetch_user();
for (var i=0; i < 2*60; ++i) {
if (user.paidAt) return user;
if (user.paidAt) {
polling = false;
return user;
}
await timeout(1000);
user = await fetch_user();
}
polling = false;
}

browserPolyfill.runtime.onMessage.addListener(function(message, sender, send_response) {
Expand Down
14 changes: 12 additions & 2 deletions dist/ExtPay.module.js
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,11 @@ import { management, runtime, storage, windows } from 'webextension-polyfill';
// and pass it on to the background page to query if the user has paid.
if (typeof window !== 'undefined') {
window.addEventListener('message', (event) => {
if (event.origin !== 'https://extensionpay.com') return;
if (event.source != window) return;
runtime.sendMessage(event.data); // event.data === 'fetch-user'
if (event.data === 'fetch-user') {
runtime.sendMessage(event.data);
}
}, false);
}

Expand Down Expand Up @@ -188,14 +191,21 @@ You can copy and paste this to your manifest.json file to fix this error:
}


var polling = false;
async function poll_user() {
// keep trying to fetch user in case stripe webhook is late
if (polling) return;
polling = true;
var user = await fetch_user();
for (var i=0; i < 2*60; ++i) {
if (user.paidAt) return user;
if (user.paidAt) {
polling = false;
return user;
}
await timeout(1000);
user = await fetch_user();
}
polling = false;
}

runtime.onMessage.addListener(function(message, sender, send_response) {
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "extpay",
"version": "2.2.1",
"version": "2.3.0",
"description": "The JavaScript library for https://extensionpay.com - payments for browser extensions, no server needed.",
"main": "./dist/ExtPay.common.js",
"module": "./dist/ExtPay.module.js",
Expand Down
14 changes: 12 additions & 2 deletions sample-extension/ExtPay.js
Original file line number Diff line number Diff line change
Expand Up @@ -1238,8 +1238,11 @@ var ExtPay = (function () {
// and pass it on to the background page to query if the user has paid.
if (typeof window !== 'undefined') {
window.addEventListener('message', (event) => {
if (event.origin !== 'https://extensionpay.com') return;
if (event.source != window) return;
browserPolyfill.runtime.sendMessage(event.data); // event.data === 'fetch-user'
if (event.data === 'fetch-user') {
browserPolyfill.runtime.sendMessage(event.data);
}
}, false);
}

Expand Down Expand Up @@ -1419,14 +1422,21 @@ You can copy and paste this to your manifest.json file to fix this error:
}


var polling = false;
async function poll_user() {
// keep trying to fetch user in case stripe webhook is late
if (polling) return;
polling = true;
var user = await fetch_user();
for (var i=0; i < 2*60; ++i) {
if (user.paidAt) return user;
if (user.paidAt) {
polling = false;
return user;
}
await timeout(1000);
user = await fetch_user();
}
polling = false;
}

browserPolyfill.runtime.onMessage.addListener(function(message, sender, send_response) {
Expand Down

0 comments on commit 48e7c04

Please sign in to comment.