mirrors/ladybird
0
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-04-27 23:09:08 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

LibWeb: Make MessageEvents from {Window,MessagePort}.postMessage trusted

Browse source 
The MessagePort one in particular is required by Cloudflare Turnstile,
as the method it takes to run JS in a worker is to `eval` the contents
of `MessageEvent.data`. However, it will only do this if
`MessageEvent.isTrusted` is true, `MessageEvent.origin` is the empty
string and `MessageEvent.source` is `null`.

The Window version is a quick fix whilst in the vicinity, as its
MessageEvent should also be trusted.
This commit is contained in:
Luke Wilde 2024-11-15 17:15:34 +00:00 committed by Andreas Kling
parent f87041bf3a
commit 079c28d5e6
Notes: github-actions[bot] 2024-11-15 17:51:05 +00:00
6 changed files with 64 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Libraries/LibWeb/HTML/MessagePort.cpp
View file

@ -408,7 +408,9 @@ void MessagePort::post_message_task_steps(SerializedTransferRecord& serialize_wi
MessageEventInit event_init {};
event_init.data = message_clone;
event_init.ports = move(new_ports);
message_event_target->dispatch_event(MessageEvent::create(target_realm, HTML::EventNames::message, event_init));
auto event = MessageEvent::create(target_realm, HTML::EventNames::message, event_init);
event->set_is_trusted(true);
message_event_target->dispatch_event(event);
}
// https://html.spec.whatwg.org/multipage/web-messaging.html#dom-messageport-start