aboutsummaryrefslogtreecommitdiff
path: root/src/webex
diff options
context:
space:
mode:
Diffstat (limited to 'src/webex')
-rw-r--r--src/webex/pages/redirect.html14
-rw-r--r--src/webex/pages/redirect.js12
-rw-r--r--src/webex/wxBackend.ts37
3 files changed, 48 insertions, 15 deletions
diff --git a/src/webex/pages/redirect.html b/src/webex/pages/redirect.html
new file mode 100644
index 000000000..9d07d3d2b
--- /dev/null
+++ b/src/webex/pages/redirect.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <meta charset="utf-8">
+
+ <script src="/src/webex/pages/redirect.js"></script>
+</head>
+
+<body>
+ Redirecting to extension page ...
+</body>
+
+</html>
diff --git a/src/webex/pages/redirect.js b/src/webex/pages/redirect.js
new file mode 100644
index 000000000..5a758cce4
--- /dev/null
+++ b/src/webex/pages/redirect.js
@@ -0,0 +1,12 @@
+/**
+ * This is the entry point for redirects, and should be the only
+ * web-accessible resource declared in the manifest. This prevents
+ * malicious websites from embedding wallet pages in them.
+ *
+ * We still need this redirect page since a webRequest can only directly
+ * redirect to pages inside the extension that are a web-accessible resource.
+ */
+
+
+const myUrl = new URL(window.location.href);
+window.location.replace(myUrl.searchParams.get("url"));
diff --git a/src/webex/wxBackend.ts b/src/webex/wxBackend.ts
index a778cc986..f1116637d 100644
--- a/src/webex/wxBackend.ts
+++ b/src/webex/wxBackend.ts
@@ -449,6 +449,21 @@ async function talerPay(fields: any, url: string, tabId: number): Promise<string
}
+function makeSyncWalletRedirect(url: string, params?: {[name: string]: string | undefined}): object {
+ const innerUrl = new URI(chrome.extension.getURL("/src/webex/pages/" + url));
+ if (params) {
+ for (const key in params) {
+ if (params[key]) {
+ innerUrl.addSearch(key, params[key]);
+ }
+ }
+ }
+ const outerUrl = new URI(chrome.extension.getURL("/src/webex/pages/redirect.html"));
+ outerUrl.addSearch("url", innerUrl);
+ return { redirectUrl: outerUrl.href() };
+}
+
+
/**
* Handle a HTTP response that has the "402 Payment Required" status.
* In this callback we don't have access to the body, and must communicate via
@@ -497,30 +512,22 @@ function handleHttpPayment(headerList: chrome.webRequest.HttpHeader[], url: stri
}
// Synchronous fast path for new contract
if (fields.contract_url) {
- const uri = new URI(chrome.extension.getURL("/src/webex/pages/confirm-contract.html"));
- uri.addSearch("contractUrl", fields.contract_url);
- if (fields.session_id) {
- uri.addSearch("sessionId", fields.session_id);
- }
- if (fields.resource_url) {
- uri.addSearch("resourceUrl", fields.resource_url);
- }
- return { redirectUrl: uri.href() };
+ return makeSyncWalletRedirect("confirm-contract.html", {
+ contractUrl: fields.contract_url,
+ sessionId: fields.session_id,
+ resourceUrl: fields.resource_url,
+ });
}
// Synchronous fast path for tip
if (fields.tip) {
- const uri = new URI(chrome.extension.getURL("/src/webex/pages/tip.html"));
- uri.query({ tip_token: fields.tip });
- return { redirectUrl: uri.href() };
+ return makeSyncWalletRedirect("tip.html", { tip_token: fields.tip });
}
// Synchronous fast path for refund
if (fields.refund_url) {
console.log("processing refund");
- const uri = new URI(chrome.extension.getURL("/src/webex/pages/refund.html"));
- uri.query({ refundUrl: fields.refund_url });
- return { redirectUrl: uri.href() };
+ return makeSyncWalletRedirect("refund.html", { refundUrl: fields.refund_url });
}
// We need to do some asynchronous operation, we can't directly redirect