Skip to content

lvpr-tv: postMessage & controls #615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gioelecerati merged 5 commits into from
Jun 4, 2025
Merged

lvpr-tv: postMessage & controls #615

gioelecerati merged 5 commits into from
Jun 4, 2025

Conversation

@gioelecerati
Copy link
Member

@gioelecerati gioelecerati commented Jun 2, 2025

Description

Concise description of proposed changes

Additional Information

@vercel
Copy link

vercel bot commented Jun 2, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
coinbase-lvpr-tv ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jun 4, 2025 4:27pm
lvpr-tv ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jun 4, 2025 4:27pm
ui-kit-docs-embed ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jun 4, 2025 4:27pm
ui-kit-next ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jun 4, 2025 4:27pm
ui-kit-next-pages ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jun 4, 2025 4:27pm
ui-kit-with-pubnub ❌ Failed (Inspect) Jun 4, 2025 4:27pm

github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 2, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 2, 2025
View reviewed changes
@gioelecerati gioelecerati force-pushed the gio/lvpr-tv/post-message branch from cf42501 to f166290 Compare June 2, 2025 11:20
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 2, 2025
View reviewed changes
apps/lvpr-tv/src/components/IframeMessenger.tsx
return;
}

const handleMessage = (event: MessageEvent) => {

Check warning

Code scanning / CodeQL

Missing origin verification in `postMessage` handler Medium

Postmessage handler has no origin check.

Copilot Autofix

AI 8 months ago

To fix the issue, the handleMessage function should explicitly verify the origin of incoming messages against a list of trusted origins. This can be done by ensuring that the isAllowedOrigin function is correctly implemented and used to validate the event.origin. If the origin is not trusted, the function should immediately return without processing the message.

Steps to fix:

  1. Ensure the isAllowedOrigin function is implemented to check the origin against a predefined list of trusted origins.
  2. Use the isAllowedOrigin function in the handleMessage function to validate the event.origin.
  3. Add comments to clarify the purpose of the origin check for future maintainers.
Suggested changeset 1
apps/lvpr-tv/src/components/IframeMessenger.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/apps/lvpr-tv/src/components/IframeMessenger.tsx b/apps/lvpr-tv/src/components/IframeMessenger.tsx
--- a/apps/lvpr-tv/src/components/IframeMessenger.tsx
+++ b/apps/lvpr-tv/src/components/IframeMessenger.tsx
@@ -54,3 +54,5 @@
     const handleMessage = (event: MessageEvent) => {
+      // Validate the origin of the incoming message
       if (!isAllowedOrigin(event.origin)) {
+        console.warn(`Blocked message from untrusted origin: ${event.origin}`);
         return;
@@ -58,2 +60,3 @@
 
+      // Process the message from a trusted origin
       //console.log("Received message from parent:", event.data);
EOF
@@ -54,3 +54,5 @@
const handleMessage = (event: MessageEvent) => {
// Validate the origin of the incoming message
if (!isAllowedOrigin(event.origin)) {
console.warn(`Blocked message from untrusted origin: ${event.origin}`);
return;
@@ -58,2 +60,3 @@

// Process the message from a trusted origin
//console.log("Received message from parent:", event.data);
Copilot is powered by AI and may make mistakes. Always verify output.
@gioelecerati gioelecerati marked this pull request as ready for review June 4, 2025 16:24
@gioelecerati gioelecerati requested a review from a team as a code owner June 4, 2025 16:24
@gioelecerati gioelecerati merged commit a128ee7 into main Jun 4, 2025
13 of 14 checks passed
@gioelecerati gioelecerati deleted the gio/lvpr-tv/post-message branch June 4, 2025 16:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thomshutt thomshutt thomshutt approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gioelecerati @thomshutt