diff options
| author | Florian Dold <florian.dold@gmail.com> | 2018-02-07 16:15:40 +0100 |
|---|---|---|
| committer | Florian Dold <florian.dold@gmail.com> | 2018-02-07 16:15:40 +0100 |
| commit | f1bef0473bf5e3f2661dd6ba82f6350164ff69ab (patch) | |
| tree | 528f0125de466c6cb2fd64b8be71700c29f86e1e | |
| parent | 9b0cd71a4dea13fa80c69d0ff8644e3a77c34874 (diff) | |
prevent embedding wallet pages in other web pages
| -rw-r--r-- | gulpfile.js | 2 | ||||
| -rw-r--r-- | manifest.json | 2 | ||||
| -rw-r--r-- | src/i18n/de.po | 28 | ||||
| -rw-r--r-- | src/i18n/en-US.po | 28 | ||||
| -rw-r--r-- | src/i18n/fr.po | 28 | ||||
| -rw-r--r-- | src/i18n/it.po | 28 | ||||
| -rw-r--r-- | src/i18n/taler-wallet-webex.pot | 28 | ||||
| -rw-r--r-- | src/webex/pages/redirect.html | 14 | ||||
| -rw-r--r-- | src/webex/pages/redirect.js | 12 | ||||
| -rw-r--r-- | src/webex/wxBackend.ts | 37 |
10 files changed, 120 insertions, 87 deletions
diff --git a/gulpfile.js b/gulpfile.js index f8e0c90fa..f9ba97b74 100644 --- a/gulpfile.js +++ b/gulpfile.js @@ -73,7 +73,7 @@ const paths = { "emscripten/taler-emscripten-lib.js", "img/icon.png", "img/logo.png", - "src/**/*.{css,html}", + "src/**/*.{js,css,html}", ], // for the source distribution extra: [ diff --git a/manifest.json b/manifest.json index 271cceeb1..3df7aa687 100644 --- a/manifest.json +++ b/manifest.json @@ -50,7 +50,7 @@ ], "web_accessible_resources": [ - "src/*" + "src/webex/pages/redirect.html" ], "background": { diff --git a/src/i18n/de.po b/src/i18n/de.po index 37748180d..d96299de1 100644 --- a/src/i18n/de.po +++ b/src/i18n/de.po @@ -206,41 +206,41 @@ msgstr "" msgid "%1$s being spent\n" msgstr "" -#: src/webex/pages/popup.tsx:309 +#: src/webex/pages/popup.tsx:310 #, c-format msgid "Error: could not retrieve balance information." msgstr "" -#: src/webex/pages/popup.tsx:336 +#: src/webex/pages/popup.tsx:337 #, c-format msgid "Payback" msgstr "" -#: src/webex/pages/popup.tsx:337 +#: src/webex/pages/popup.tsx:338 #, c-format msgid "Return Electronic Cash to Bank Account" msgstr "" -#: src/webex/pages/popup.tsx:338 +#: src/webex/pages/popup.tsx:339 #, c-format msgid "Manage Trusted Auditors and Exchanges" msgstr "" -#: src/webex/pages/popup.tsx:350 +#: src/webex/pages/popup.tsx:351 #, fuzzy, c-format msgid "" "Bank requested reserve (%1$s) for\n" " %2$s.\n" msgstr "Bank bestätig anlegen der Reserve (%1$s) bei %2$s" -#: src/webex/pages/popup.tsx:360 +#: src/webex/pages/popup.tsx:361 #, fuzzy, c-format msgid "" "Started to withdraw\n" " %1$s%2$sfrom%3$s(%4$s).\n" msgstr "Reserve (%1$s) mit %2$s bei %3$s erzeugt" -#: src/webex/pages/popup.tsx:369 +#: src/webex/pages/popup.tsx:370 #, fuzzy, c-format msgid "Merchant%1$soffered%2$scontract%3$s.\n" msgstr "" @@ -248,24 +248,24 @@ msgstr "" " möchte einen Vertrag über %2$s\n" " mit Ihnen abschließen." -#: src/webex/pages/popup.tsx:380 +#: src/webex/pages/popup.tsx:381 #, fuzzy, c-format msgid "Withdrew%1$sfrom%2$s(%3$s).\n" msgstr "Reserve (%1$s) mit %2$s bei %3$s erzeugt" -#: src/webex/pages/popup.tsx:390 +#: src/webex/pages/popup.tsx:391 #, fuzzy, c-format msgid "" "Paid%1$sto merchant%2$s.\n" "%3$s(%4$s)\n" msgstr "Reserve (%1$s) mit %2$s bei %3$s erzeugt" -#: src/webex/pages/popup.tsx:400 +#: src/webex/pages/popup.tsx:401 #, c-format msgid "Merchant%1$sgave a refund over%2$s.\n" msgstr "" -#: src/webex/pages/popup.tsx:410 +#: src/webex/pages/popup.tsx:411 #, fuzzy, c-format msgid "" "Merchant%1$sgave\n" @@ -276,17 +276,17 @@ msgstr "" " möchte einen Vertrag über %2$s\n" " mit Ihnen abschließen." -#: src/webex/pages/popup.tsx:420 +#: src/webex/pages/popup.tsx:421 #, c-format msgid "Unknown event (%1$s)" msgstr "" -#: src/webex/pages/popup.tsx:463 +#: src/webex/pages/popup.tsx:464 #, c-format msgid "Error: could not retrieve event history" msgstr "" -#: src/webex/pages/popup.tsx:488 +#: src/webex/pages/popup.tsx:489 #, c-format msgid "Your wallet has no events recorded." msgstr "Ihre Geldbörse verzeichnet keine Vorkommnisse." diff --git a/src/i18n/en-US.po b/src/i18n/en-US.po index c56d57f44..665b2771a 100644 --- a/src/i18n/en-US.po +++ b/src/i18n/en-US.po @@ -206,63 +206,63 @@ msgstr "" msgid "%1$s being spent\n" msgstr "" -#: src/webex/pages/popup.tsx:309 +#: src/webex/pages/popup.tsx:310 #, c-format msgid "Error: could not retrieve balance information." msgstr "" -#: src/webex/pages/popup.tsx:336 +#: src/webex/pages/popup.tsx:337 #, c-format msgid "Payback" msgstr "" -#: src/webex/pages/popup.tsx:337 +#: src/webex/pages/popup.tsx:338 #, c-format msgid "Return Electronic Cash to Bank Account" msgstr "" -#: src/webex/pages/popup.tsx:338 +#: src/webex/pages/popup.tsx:339 #, c-format msgid "Manage Trusted Auditors and Exchanges" msgstr "" -#: src/webex/pages/popup.tsx:350 +#: src/webex/pages/popup.tsx:351 #, c-format msgid "" "Bank requested reserve (%1$s) for\n" " %2$s.\n" msgstr "" -#: src/webex/pages/popup.tsx:360 +#: src/webex/pages/popup.tsx:361 #, c-format msgid "" "Started to withdraw\n" " %1$s%2$sfrom%3$s(%4$s).\n" msgstr "" -#: src/webex/pages/popup.tsx:369 +#: src/webex/pages/popup.tsx:370 #, c-format msgid "Merchant%1$soffered%2$scontract%3$s.\n" msgstr "" -#: src/webex/pages/popup.tsx:380 +#: src/webex/pages/popup.tsx:381 #, c-format msgid "Withdrew%1$sfrom%2$s(%3$s).\n" msgstr "" -#: src/webex/pages/popup.tsx:390 +#: src/webex/pages/popup.tsx:391 #, c-format msgid "" "Paid%1$sto merchant%2$s.\n" "%3$s(%4$s)\n" msgstr "" -#: src/webex/pages/popup.tsx:400 +#: src/webex/pages/popup.tsx:401 #, c-format msgid "Merchant%1$sgave a refund over%2$s.\n" msgstr "" -#: src/webex/pages/popup.tsx:410 +#: src/webex/pages/popup.tsx:411 #, c-format msgid "" "Merchant%1$sgave\n" @@ -270,17 +270,17 @@ msgid "" "%4$s%5$s" msgstr "" -#: src/webex/pages/popup.tsx:420 +#: src/webex/pages/popup.tsx:421 #, c-format msgid "Unknown event (%1$s)" msgstr "" -#: src/webex/pages/popup.tsx:463 +#: src/webex/pages/popup.tsx:464 #, c-format msgid "Error: could not retrieve event history" msgstr "" -#: src/webex/pages/popup.tsx:488 +#: src/webex/pages/popup.tsx:489 #, c-format msgid "Your wallet has no events recorded." msgstr "" diff --git a/src/i18n/fr.po b/src/i18n/fr.po index b5b7259ee..4a50742b8 100644 --- a/src/i18n/fr.po +++ b/src/i18n/fr.po @@ -206,63 +206,63 @@ msgstr "" msgid "%1$s being spent\n" msgstr "" -#: src/webex/pages/popup.tsx:309 +#: src/webex/pages/popup.tsx:310 #, c-format msgid "Error: could not retrieve balance information." msgstr "" -#: src/webex/pages/popup.tsx:336 +#: src/webex/pages/popup.tsx:337 #, c-format msgid "Payback" msgstr "" -#: src/webex/pages/popup.tsx:337 +#: src/webex/pages/popup.tsx:338 #, c-format msgid "Return Electronic Cash to Bank Account" msgstr "" -#: src/webex/pages/popup.tsx:338 +#: src/webex/pages/popup.tsx:339 #, c-format msgid "Manage Trusted Auditors and Exchanges" msgstr "" -#: src/webex/pages/popup.tsx:350 +#: src/webex/pages/popup.tsx:351 #, c-format msgid "" "Bank requested reserve (%1$s) for\n" " %2$s.\n" msgstr "" -#: src/webex/pages/popup.tsx:360 +#: src/webex/pages/popup.tsx:361 #, c-format msgid "" "Started to withdraw\n" " %1$s%2$sfrom%3$s(%4$s).\n" msgstr "" -#: src/webex/pages/popup.tsx:369 +#: src/webex/pages/popup.tsx:370 #, c-format msgid "Merchant%1$soffered%2$scontract%3$s.\n" msgstr "" -#: src/webex/pages/popup.tsx:380 +#: src/webex/pages/popup.tsx:381 #, c-format msgid "Withdrew%1$sfrom%2$s(%3$s).\n" msgstr "" -#: src/webex/pages/popup.tsx:390 +#: src/webex/pages/popup.tsx:391 #, c-format msgid "" "Paid%1$sto merchant%2$s.\n" "%3$s(%4$s)\n" msgstr "" -#: src/webex/pages/popup.tsx:400 +#: src/webex/pages/popup.tsx:401 #, c-format msgid "Merchant%1$sgave a refund over%2$s.\n" msgstr "" -#: src/webex/pages/popup.tsx:410 +#: src/webex/pages/popup.tsx:411 #, c-format msgid "" "Merchant%1$sgave\n" @@ -270,17 +270,17 @@ msgid "" "%4$s%5$s" msgstr "" -#: src/webex/pages/popup.tsx:420 +#: src/webex/pages/popup.tsx:421 #, c-format msgid "Unknown event (%1$s)" msgstr "" -#: src/webex/pages/popup.tsx:463 +#: src/webex/pages/popup.tsx:464 #, c-format msgid "Error: could not retrieve event history" msgstr "" -#: src/webex/pages/popup.tsx:488 +#: src/webex/pages/popup.tsx:489 #, c-format msgid "Your wallet has no events recorded." msgstr "" diff --git a/src/i18n/it.po b/src/i18n/it.po index b5b7259ee..4a50742b8 100644 --- a/src/i18n/it.po +++ b/src/i18n/it.po @@ -206,63 +206,63 @@ msgstr "" msgid "%1$s being spent\n" msgstr "" -#: src/webex/pages/popup.tsx:309 +#: src/webex/pages/popup.tsx:310 #, c-format msgid "Error: could not retrieve balance information." msgstr "" -#: src/webex/pages/popup.tsx:336 +#: src/webex/pages/popup.tsx:337 #, c-format msgid "Payback" msgstr "" -#: src/webex/pages/popup.tsx:337 +#: src/webex/pages/popup.tsx:338 #, c-format msgid "Return Electronic Cash to Bank Account" msgstr "" -#: src/webex/pages/popup.tsx:338 +#: src/webex/pages/popup.tsx:339 #, c-format msgid "Manage Trusted Auditors and Exchanges" msgstr "" -#: src/webex/pages/popup.tsx:350 +#: src/webex/pages/popup.tsx:351 #, c-format msgid "" "Bank requested reserve (%1$s) for\n" " %2$s.\n" msgstr "" -#: src/webex/pages/popup.tsx:360 +#: src/webex/pages/popup.tsx:361 #, c-format msgid "" "Started to withdraw\n" " %1$s%2$sfrom%3$s(%4$s).\n" msgstr "" -#: src/webex/pages/popup.tsx:369 +#: src/webex/pages/popup.tsx:370 #, c-format msgid "Merchant%1$soffered%2$scontract%3$s.\n" msgstr "" -#: src/webex/pages/popup.tsx:380 +#: src/webex/pages/popup.tsx:381 #, c-format msgid "Withdrew%1$sfrom%2$s(%3$s).\n" msgstr "" -#: src/webex/pages/popup.tsx:390 +#: src/webex/pages/popup.tsx:391 #, c-format msgid "" "Paid%1$sto merchant%2$s.\n" "%3$s(%4$s)\n" msgstr "" -#: src/webex/pages/popup.tsx:400 +#: src/webex/pages/popup.tsx:401 #, c-format msgid "Merchant%1$sgave a refund over%2$s.\n" msgstr "" -#: src/webex/pages/popup.tsx:410 +#: src/webex/pages/popup.tsx:411 #, c-format msgid "" "Merchant%1$sgave\n" @@ -270,17 +270,17 @@ msgid "" "%4$s%5$s" msgstr "" -#: src/webex/pages/popup.tsx:420 +#: src/webex/pages/popup.tsx:421 #, c-format msgid "Unknown event (%1$s)" msgstr "" -#: src/webex/pages/popup.tsx:463 +#: src/webex/pages/popup.tsx:464 #, c-format msgid "Error: could not retrieve event history" msgstr "" -#: src/webex/pages/popup.tsx:488 +#: src/webex/pages/popup.tsx:489 #, c-format msgid "Your wallet has no events recorded." msgstr "" diff --git a/src/i18n/taler-wallet-webex.pot b/src/i18n/taler-wallet-webex.pot index b5b7259ee..4a50742b8 100644 --- a/src/i18n/taler-wallet-webex.pot +++ b/src/i18n/taler-wallet-webex.pot @@ -206,63 +206,63 @@ msgstr "" msgid "%1$s being spent\n" msgstr "" -#: src/webex/pages/popup.tsx:309 +#: src/webex/pages/popup.tsx:310 #, c-format msgid "Error: could not retrieve balance information." msgstr "" -#: src/webex/pages/popup.tsx:336 +#: src/webex/pages/popup.tsx:337 #, c-format msgid "Payback" msgstr "" -#: src/webex/pages/popup.tsx:337 +#: src/webex/pages/popup.tsx:338 #, c-format msgid "Return Electronic Cash to Bank Account" msgstr "" -#: src/webex/pages/popup.tsx:338 +#: src/webex/pages/popup.tsx:339 #, c-format msgid "Manage Trusted Auditors and Exchanges" msgstr "" -#: src/webex/pages/popup.tsx:350 +#: src/webex/pages/popup.tsx:351 #, c-format msgid "" "Bank requested reserve (%1$s) for\n" " %2$s.\n" msgstr "" -#: src/webex/pages/popup.tsx:360 +#: src/webex/pages/popup.tsx:361 #, c-format msgid "" "Started to withdraw\n" " %1$s%2$sfrom%3$s(%4$s).\n" msgstr "" -#: src/webex/pages/popup.tsx:369 +#: src/webex/pages/popup.tsx:370 #, c-format msgid "Merchant%1$soffered%2$scontract%3$s.\n" msgstr "" -#: src/webex/pages/popup.tsx:380 +#: src/webex/pages/popup.tsx:381 #, c-format msgid "Withdrew%1$sfrom%2$s(%3$s).\n" msgstr "" -#: src/webex/pages/popup.tsx:390 +#: src/webex/pages/popup.tsx:391 #, c-format msgid "" "Paid%1$sto merchant%2$s.\n" "%3$s(%4$s)\n" msgstr "" -#: src/webex/pages/popup.tsx:400 +#: src/webex/pages/popup.tsx:401 #, c-format msgid "Merchant%1$sgave a refund over%2$s.\n" msgstr "" -#: src/webex/pages/popup.tsx:410 +#: src/webex/pages/popup.tsx:411 #, c-format msgid "" "Merchant%1$sgave\n" @@ -270,17 +270,17 @@ msgid "" "%4$s%5$s" msgstr "" -#: src/webex/pages/popup.tsx:420 +#: src/webex/pages/popup.tsx:421 #, c-format msgid "Unknown event (%1$s)" msgstr "" -#: src/webex/pages/popup.tsx:463 +#: src/webex/pages/popup.tsx:464 #, c-format msgid "Error: could not retrieve event history" msgstr "" -#: src/webex/pages/popup.tsx:488 +#: src/webex/pages/popup.tsx:489 #, c-format msgid "Your wallet has no events recorded." msgstr "" diff --git a/src/webex/pages/redirect.html b/src/webex/pages/redirect.html new file mode 100644 index 000000000..9d07d3d2b --- /dev/null +++ b/src/webex/pages/redirect.html @@ -0,0 +1,14 @@ +<!DOCTYPE html> +<html> + +<head> + <meta charset="utf-8"> + + <script src="/src/webex/pages/redirect.js"></script> +</head> + +<body> + Redirecting to extension page ... +</body> + +</html> diff --git a/src/webex/pages/redirect.js b/src/webex/pages/redirect.js new file mode 100644 index 000000000..5a758cce4 --- /dev/null +++ b/src/webex/pages/redirect.js @@ -0,0 +1,12 @@ +/** + * This is the entry point for redirects, and should be the only + * web-accessible resource declared in the manifest. This prevents + * malicious websites from embedding wallet pages in them. + * + * We still need this redirect page since a webRequest can only directly + * redirect to pages inside the extension that are a web-accessible resource. + */ + + +const myUrl = new URL(window.location.href); +window.location.replace(myUrl.searchParams.get("url")); diff --git a/src/webex/wxBackend.ts b/src/webex/wxBackend.ts index a778cc986..f1116637d 100644 --- a/src/webex/wxBackend.ts +++ b/src/webex/wxBackend.ts @@ -449,6 +449,21 @@ async function talerPay(fields: any, url: string, tabId: number): Promise<string } +function makeSyncWalletRedirect(url: string, params?: {[name: string]: string | undefined}): object { + const innerUrl = new URI(chrome.extension.getURL("/src/webex/pages/" + url)); + if (params) { + for (const key in params) { + if (params[key]) { + innerUrl.addSearch(key, params[key]); + } + } + } + const outerUrl = new URI(chrome.extension.getURL("/src/webex/pages/redirect.html")); + outerUrl.addSearch("url", innerUrl); + return { redirectUrl: outerUrl.href() }; +} + + /** * Handle a HTTP response that has the "402 Payment Required" status. * In this callback we don't have access to the body, and must communicate via @@ -497,30 +512,22 @@ function handleHttpPayment(headerList: chrome.webRequest.HttpHeader[], url: stri } // Synchronous fast path for new contract if (fields.contract_url) { - const uri = new URI(chrome.extension.getURL("/src/webex/pages/confirm-contract.html")); - uri.addSearch("contractUrl", fields.contract_url); - if (fields.session_id) { - uri.addSearch("sessionId", fields.session_id); - } - if (fields.resource_url) { - uri.addSearch("resourceUrl", fields.resource_url); - } - return { redirectUrl: uri.href() }; + return makeSyncWalletRedirect("confirm-contract.html", { + contractUrl: fields.contract_url, + sessionId: fields.session_id, + resourceUrl: fields.resource_url, + }); } // Synchronous fast path for tip if (fields.tip) { - const uri = new URI(chrome.extension.getURL("/src/webex/pages/tip.html")); - uri.query({ tip_token: fields.tip }); - return { redirectUrl: uri.href() }; + return makeSyncWalletRedirect("tip.html", { tip_token: fields.tip }); } // Synchronous fast path for refund if (fields.refund_url) { console.log("processing refund"); - const uri = new URI(chrome.extension.getURL("/src/webex/pages/refund.html")); - uri.query({ refundUrl: fields.refund_url }); - return { redirectUrl: uri.href() }; + return makeSyncWalletRedirect("refund.html", { refundUrl: fields.refund_url }); } // We need to do some asynchronous operation, we can't directly redirect |