prevent embedding wallet pages in other web pages

3 files changed, 48 insertions, 15 deletions

diff --git a/src/webex/pages/redirect.html b/src/webex/pages/redirect.html
new file mode 100644
index 000000000..9d07d3d2b
--- /dev/null
+++ b/src/webex/pages/redirect.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+  <meta charset="utf-8">
+
+  <script src="/src/webex/pages/redirect.js"></script>
+</head>
+
+<body>
+  Redirecting to extension page ...
+</body>
+
+</html>
diff --git a/src/webex/pages/redirect.js b/src/webex/pages/redirect.js
new file mode 100644
index 000000000..5a758cce4
--- /dev/null
+++ b/src/webex/pages/redirect.js
@@ -0,0 +1,12 @@
+/**
+ * This is the entry point for redirects, and should be the only
+ * web-accessible resource declared in the manifest.  This prevents
+ * malicious websites from embedding wallet pages in them.
+ * 
+ * We still need this redirect page since a webRequest can only directly
+ * redirect to pages inside the extension that are a web-accessible resource.
+ */
+
+ 
+const myUrl = new URL(window.location.href);
+window.location.replace(myUrl.searchParams.get("url"));
diff --git a/src/webex/wxBackend.ts b/src/webex/wxBackend.ts
index a778cc986..f1116637d 100644
--- a/src/webex/wxBackend.ts
+++ b/src/webex/wxBackend.ts
@@ -449,6 +449,21 @@ async function talerPay(fields: any, url: string, tabId: number): Promise<string
 }
 
 
+function makeSyncWalletRedirect(url: string, params?: {[name: string]: string | undefined}): object {
+  const innerUrl = new URI(chrome.extension.getURL("/src/webex/pages/" + url));
+  if (params) {
+    for (const key in params) {
+      if (params[key]) {
+        innerUrl.addSearch(key, params[key]);
+      }
+    }
+  }
+  const outerUrl = new URI(chrome.extension.getURL("/src/webex/pages/redirect.html"));
+  outerUrl.addSearch("url", innerUrl);
+  return { redirectUrl: outerUrl.href() };
+}
+
+
 /**
  * Handle a HTTP response that has the "402 Payment Required" status.
  * In this callback we don't have access to the body, and must communicate via
@@ -497,30 +512,22 @@ function handleHttpPayment(headerList: chrome.webRequest.HttpHeader[], url: stri
   }
   // Synchronous fast path for new contract
   if (fields.contract_url) {
-    const uri = new URI(chrome.extension.getURL("/src/webex/pages/confirm-contract.html"));
-    uri.addSearch("contractUrl", fields.contract_url);
-    if (fields.session_id) {
-      uri.addSearch("sessionId", fields.session_id);
-    }
-    if (fields.resource_url) {
-      uri.addSearch("resourceUrl", fields.resource_url);
-    }
-    return { redirectUrl: uri.href() };
+    return makeSyncWalletRedirect("confirm-contract.html", {
+      contractUrl: fields.contract_url,
+      sessionId: fields.session_id,
+      resourceUrl: fields.resource_url,
+    });
   }
 
   // Synchronous fast path for tip
   if (fields.tip) {
-    const uri = new URI(chrome.extension.getURL("/src/webex/pages/tip.html"));
-    uri.query({ tip_token: fields.tip });
-    return { redirectUrl: uri.href() };
+    return makeSyncWalletRedirect("tip.html", { tip_token: fields.tip });
   }
 
   // Synchronous fast path for refund
   if (fields.refund_url) {
     console.log("processing refund");
-    const uri = new URI(chrome.extension.getURL("/src/webex/pages/refund.html"));
-    uri.query({ refundUrl: fields.refund_url });
-    return { redirectUrl: uri.href() };
+    return makeSyncWalletRedirect("refund.html", { refundUrl: fields.refund_url });
   }
 
   // We need to do some asynchronous operation, we can't directly redirect