LibWeb: Make MessageEvents from {Window,MessagePort}.postMessage trusted

The MessagePort one in particular is required by Cloudflare Turnstile, as the method it takes to run JS in a worker is to `eval` the contents of `MessageEvent.data`. However, it will only do this if `MessageEvent.isTrusted` is true, `MessageEvent.origin` is the empty string and `MessageEvent.source` is `null`. The Window version is a quick fix whilst in the vicinity, as its MessageEvent should also be trusted.
Author: https://github.com/Lubrsi Commit: 079c28d5e6 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/2366
2025-08-11 18:50:50 +00:00 · 2024-11-15 17:15:34 +00:00 · 2024-11-15 17:15:34 +00:00 · 079c28d5e6 · 2024-11-15 17:51:05 +00:00
commit 079c28d5e6
parent f87041bf3a
6 changed files with 64 additions and 1 deletions
--- a/Tests/LibWeb/Text/input/HTML/Window-MessageEvents-should-be-trusted.html
+++ b/Tests/LibWeb/Text/input/HTML/Window-MessageEvents-should-be-trusted.html
@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<script src="../include.js"></script>
+<script>
+    asyncTest((done) => {
+        const iframe = document.createElement("iframe");
+        document.body.appendChild(iframe);
+
+        const script = iframe.contentDocument.createElement("script");
+        script.textContent = `
+            self.onmessage = (messageEvent) => {
+                if (messageEvent.isTrusted && messageEvent.source === window.parent) {
+                    window.parent.postMessage(messageEvent.data + "pong");
+                }
+            };
+        `;
+        iframe.contentDocument.body.appendChild(script);
+
+        window.onmessage = (messageEvent) => {
+            if (messageEvent.isTrusted && messageEvent.source === iframe.contentWindow) {
+                println(messageEvent.data);
+                done();
+            }
+        }
+
+        iframe.contentWindow.postMessage("ping\n", { targetOrigin: "*" });
+    });
+</script>