fix(ipc/preload): verify origin before doing some preload calls

socketsupply · Sep 2, 2024 · f23d919 · f23d919
1 parent 33242a1
commit f23d919
Showing 1 changed file with 16 additions and 6 deletions.
diff --git a/src/ipc/preload.cc b/src/ipc/preload.cc
@@ -273,7 +273,7 @@ namespace SSC::IPC {
               configurable: false,
               enumerable: true,
               writable: false,
-              value: globalThis.parent !== globalThis
+              value: globalThis.parent !== globalThis && globalThis.origin.includes(globalThis.__args.config.meta_bundle_identifier)
 	              ? globalThis.parent?.__args?.client ?? null
 	              : null
             },
@@ -429,7 +429,11 @@ namespace SSC::IPC {
 
       // 10. compile listeners for `globalThis`
       buffers.push_back(R"JAVASCRIPT(
-        if (globalThis.document && !globalThis.RUNTIME_APPLICATION_URL_EVENT_BACKLOG) {
+        if (
+          globalThis.document &&
+          !globalThis.RUNTIME_APPLICATION_URL_EVENT_BACKLOG &&
+          globalThis.origin.includes(globalThis.__args.config.meta_bundle_identifier)
+         ) {
           Object.defineProperties(globalThis, {
             RUNTIME_APPLICATION_URL_EVENT_BACKLOG: {
               configurable: false,
@@ -503,8 +507,10 @@ namespace SSC::IPC {
       if (this->options.features.useHTMLMarkup && this->options.features.useESM) {
         buffers.push_back(tmpl(
           R"JAVASCRIPT(
-            import 'socket:internal/init'
-            {{userScript}}
+            if (globalThis.origin.includes(globalThis.__args.config.meta_bundle_identifier) {
+              await import('socket:internal/init')
+              {{userScript}}
+            }
           )JAVASCRIPT",
           Map {{"userScript", this->options.userScript}}
         ));
@@ -516,15 +522,19 @@ namespace SSC::IPC {
               {{userScript}}
             }
 
-            if (globalThis.document && globalThis.document.readyState !== 'complete') {
+            if (
+              globalThis.document &&
+              globalThis.document.readyState !== 'complete' &&
+              globalThis.origin.includes(globalThis.__args.config.meta_bundle_identifier)
+            ) {
               globalThis.document.addEventListener('readystatechange', () => {
                 if(/interactive|complete/.test(globalThis.document.readyState)) {
                   import('socket:internal/init')
                     .then(userScriptCallback)
                     .catch(console.error)
                 }
               })
-            } else {
+            } else if (globalThis.origin.includes(globalThis.__args.config.meta_bundle_identifier)) {
               import('socket:internal/init')
                 .then(userScriptCallback)
                 .catch(console.error)