diff --git a/.dev.sample.json b/.dev.sample.json index 67bf186..5f6cc28 100644 --- a/.dev.sample.json +++ b/.dev.sample.json @@ -1,4 +1,5 @@ { "DEFAULT_API_URL": "https://app.simplelogin.io", + "EXTRA_ALLOWED_DOMAINS": [], "permissions": [] } \ No newline at end of file diff --git a/src/background/index.js b/src/background/index.js index 843b27a..cdd0602 100644 --- a/src/background/index.js +++ b/src/background/index.js @@ -61,21 +61,26 @@ async function handleExtensionSetup() { /** * Check if a message comes from an authorized source * @param {string} url - * @returns {Promise} + * @returns boolean */ -const isMessageAllowed = async (url) => { +const isMessageAllowed = (url) => { + console.log("Received message from " + url); const requestUrl = new URL(url); const apiUrl = new URL(SLStorage.DEFAULT_SETTINGS[SLStorage.SETTINGS.API_URL]); - const ALLOWED_SOURCES = [ + let allowedSources = [ new RegExp(apiUrl.hostname), new RegExp("^app\\.simplelogin\\.io$"), - new RegExp("^.*\\.proton\\.ch$"), new RegExp("^.*\\.protonmail\\.ch$"), new RegExp("^.*\\.protonmail\\.com$"), ]; - for (const source of ALLOWED_SOURCES) { + const extraAllowedDomains = SLStorage.DEFAULT_SETTINGS[SLStorage.SETTINGS.EXTRA_ALLOWED_DOMAINS]; + for (const extra of extraAllowedDomains) { + allowedSources.push(new RegExp(extra)); + } + + for (const source of allowedSources) { if (source.test(requestUrl.host)) return true; } return false; @@ -85,14 +90,17 @@ const isMessageAllowed = async (url) => { * Register onMessage listener */ browser.runtime.onMessage.addListener(async function (request, sender) { - const isAllowed = await isMessageAllowed(sender.url); - if (!isAllowed) return; - + // Check messages allowed from everywhere if (request.tag === "NEW_RANDOM_ALIAS") { return await handleNewRandomAlias(request.currentUrl); } else if (request.tag === "GET_APP_SETTINGS") { return await handleGetAppSettings(); - } else if (request.tag === "EXTENSION_SETUP") { + } + + // Check messages allowed only from authorized sources + if (!isMessageAllowed(sender.url)) return; + + if (request.tag === "EXTENSION_SETUP") { return await handleExtensionSetup(); } }); diff --git a/src/popup/SLStorage.js b/src/popup/SLStorage.js index 4983897..82a06b5 100644 --- a/src/popup/SLStorage.js +++ b/src/popup/SLStorage.js @@ -10,6 +10,7 @@ class SLStorage { NOT_ASKING_RATE: "notAskingRate", SHOW_SL_BUTTON: "showSLButton", SL_BUTTON_POSITION: "SLButtonPosition", + EXTRA_ALLOWED_DOMAINS: [], }; static DEFAULT_SETTINGS = { @@ -20,6 +21,9 @@ class SLStorage { [SLStorage.SETTINGS.NOT_ASKING_RATE]: false, [SLStorage.SETTINGS.SHOW_SL_BUTTON]: true, [SLStorage.SETTINGS.SL_BUTTON_POSITION]: "right-inside", + [SLStorage.SETTINGS.EXTRA_ALLOWED_DOMAINS]: devConfig + ? devConfig.EXTRA_ALLOWED_DOMAINS + : [] }; static set(key, value) {