bunker-admin
3f35e4b18d
- Replace postMessage wildcard ('*') with explicit parent origin passed
via ?origin= parameter to prevent auth state disclosure to arbitrary
embedders
- Tighten frame-ancestors CSP: production restricts to self + DOMAIN,
dev restricts to localhost origins (was frame-ancestors *)
- Remove deprecated X-Frame-Options ALLOW-FROM header (CSP
frame-ancestors is the modern replacement)
- Validate targetOrigin with URL constructor before use
Bunker Admin
39 lines
1.2 KiB
HTML
39 lines
1.2 KiB
HTML
<!DOCTYPE html>
|
|
<html><head><title>Auth Check</title></head>
|
|
<body>
|
|
<script>
|
|
// This page is loaded in a hidden iframe from the MkDocs header.
|
|
// It reads the auth state from this origin's localStorage and
|
|
// posts it back to the parent window via postMessage.
|
|
// The parent passes its origin as ?origin=... so we can target the reply.
|
|
(function() {
|
|
var authenticated = false;
|
|
try {
|
|
var stored = localStorage.getItem('cml-auth');
|
|
if (stored) {
|
|
var parsed = JSON.parse(stored);
|
|
if (parsed && parsed.state && parsed.state.accessToken) {
|
|
authenticated = true;
|
|
}
|
|
}
|
|
} catch(e) {}
|
|
// Only post back to the declared parent origin (prevents state disclosure to arbitrary embedders)
|
|
var params = new URLSearchParams(location.search);
|
|
var targetOrigin = params.get('origin');
|
|
if (!targetOrigin) return;
|
|
// Validate targetOrigin is a proper origin (protocol + host, no path)
|
|
try {
|
|
var url = new URL(targetOrigin);
|
|
targetOrigin = url.origin;
|
|
} catch(e) { return; }
|
|
if (window.parent && window.parent !== window) {
|
|
window.parent.postMessage({
|
|
type: 'cml-auth-status',
|
|
authenticated: authenticated
|
|
}, targetOrigin);
|
|
}
|
|
})();
|
|
</script>
|
|
</body>
|
|
</html>
|