fix(web): restrict postMessage targetOrigin from wildcard to specific origins (#30690)

Co-authored-by: XW <wei.xu1@wiz.ai>
2026-01-08 17:23:27 +08:00 · 2026-01-08 17:23:27 +08:00 · b2cbeeae92
parent cd1af04dee
commit b2cbeeae92
2 changed files with 9 additions and 4 deletions
--- a/web/app/components/base/chat/embedded-chatbot/header/index.tsx
+++ b/web/app/components/base/chat/embedded-chatbot/header/index.tsx
@ -66,7 +66,9 @@ const Header: FC<IHeaderProps> = ({
    const listener = (event: MessageEvent) => handleMessageReceived(event)
    window.addEventListener('message', listener)

-    window.parent.postMessage({ type: 'dify-chatbot-iframe-ready' }, '*')
+    // Security: Use document.referrer to get parent origin
+    const targetOrigin = document.referrer ? new URL(document.referrer).origin : '*'
+    window.parent.postMessage({ type: 'dify-chatbot-iframe-ready' }, targetOrigin)

    return () => window.removeEventListener('message', listener)
  }, [isIframe, handleMessageReceived])
--- a/web/hooks/use-oauth.ts
+++ b/web/hooks/use-oauth.ts
@ -10,12 +10,15 @@ export const useOAuthCallback = () => {
    const errorDescription = urlParams.get('error_description')

    if (window.opener) {
+      // Use window.opener.origin instead of '*' for security
+      const targetOrigin = window.opener?.origin || '*'
+
      if (subscriptionId) {
        window.opener.postMessage({
          type: 'oauth_callback',
          success: true,
          subscriptionId,
-        }, '*')
+        }, targetOrigin)
      }
      else if (error) {
        window.opener.postMessage({
@ -23,12 +26,12 @@ export const useOAuthCallback = () => {
          success: false,
          error,
          errorDescription,
-        }, '*')
+        }, targetOrigin)
      }
      else {
        window.opener.postMessage({
          type: 'oauth_callback',
-        }, '*')
+        }, targetOrigin)
      }
      window.close()
    }