Merge pull request #23 from gauthamsriman/remove-origin-check

mhemesath · web-flow · commit 8bc1c9d91352 · 2018-04-27T14:31:33.000-05:00
Don't check for same origin on embedded frames
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,9 @@
 Next Release
 -------------
 
+* Remove frame origin check as it doesn't provide any added security value and makes
+  integration more complicated for providing applications.
+
 1.5.1
 ------
 * Added download attribute check for IE11 in unload trigger.
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/consumer/frame.js b/src/consumer/frame.js
@@ -198,15 +198,11 @@ class Frame extends EventEmitter {
     // 2. Identify the app the message came from.
     if (this.iframe.contentWindow !== event.source) return;
 
-    // 3. Verify that the origin of the app is trusted
-    // For Chrome, the origin property is in the event.originalEvent object
-    const origin = event.origin || event.originalEvent.origin;
-    if (origin === this.origin) {
-      logger.log('<< consumer', event.origin, event.data);
-
-      // 4. Send a response, if any, back to the app.
-      this.JSONRPC.handle(event.data);
-    }
+    logger.log('<< consumer', event.origin, event.data);
+
+    // 3. Send a response, if any, back to the app.
+    this.JSONRPC.handle(event.data);
+
   }
 
   /**
diff --git a/test/frame.js b/test/frame.js
@@ -134,15 +134,15 @@ describe('Frame', () => {
         sinon.assert.notCalled(handle);
       });
 
-      it("ignores messages from different origins", () => {
+      it("doesn't ignore messages from different origins", () => {
         const event = {
           data: {jsonrpc: '2.0'},
           source: frame.iframe.contentWindow,
           origin: 'invalid_origin'
         };
         frame.handleProviderMessage(event);
 
-        sinon.assert.notCalled(handle);
+        sinon.assert.called(handle);
       });
 
       it("calls this.JSONRPC.handle with the data of given event", () => {
