sneak/AutistMask
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(L4): use location.origin for postMessage, one-shot UUID listener
Some checks failed
check / check (push) Failing after 13s
Details

Browse Source 
- Content script sends UUID via location.origin instead of "*"
- Inpage UUID listener removes itself after first message to prevent
  malicious pages from overriding the persisted UUID
This commit is contained in:
user
2026-02-27 11:58:57 -08:00
parent 909543e943
commit 27f16191b4
2 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/content/index.js
View File

@@ -26,7 +26,7 @@ if (typeof browser !== "undefined") {
uuid = crypto.randomUUID(); uuid = crypto.randomUUID();
storage.set({ eip6963Uuid: uuid }); storage.set({ eip6963Uuid: uuid });
} }
window.postMessage({ type: "AUTISTMASK_PROVIDER_UUID", uuid }, "*"); window.postMessage({ type: "AUTISTMASK_PROVIDER_UUID", uuid }, location.origin);
}); });
})(); })();

10
src/content/inpage.js
View File

@@ -9,7 +9,7 @@
const pending = {}; const pending = {};
// Listen for responses from the content script // Listen for responses from the content script
window.addEventListener("message", (event) => { window.addEventListener("message", function onUuid(event) {
if (event.source !== window) return; if (event.source !== window) return;
if (event.data?.type !== "AUTISTMASK_RESPONSE") return; if (event.data?.type !== "AUTISTMASK_RESPONSE") return;
const { id, result, error } = event.data; const { id, result, error } = event.data;
@@ -24,7 +24,7 @@
}); });
// Listen for events pushed from the extension // Listen for events pushed from the extension
window.addEventListener("message", (event) => { window.addEventListener("message", function onUuid(event) {
if (event.source !== window) return; if (event.source !== window) return;
if (event.data?.type !== "AUTISTMASK_EVENT") return; if (event.data?.type !== "AUTISTMASK_EVENT") return;
const { eventName, data } = event.data; const { eventName, data } = event.data;
@@ -178,12 +178,14 @@
} }
// Listen for the persisted UUID from the content script // Listen for the persisted UUID from the content script
window.addEventListener("message", (event) => { function onProviderUuid(event) {
if (event.source !== window) return; if (event.source !== window) return;
if (event.data?.type !== "AUTISTMASK_PROVIDER_UUID") return; if (event.data?.type !== "AUTISTMASK_PROVIDER_UUID") return;
window.removeEventListener("message", onProviderUuid);
providerUuid = event.data.uuid; providerUuid = event.data.uuid;
announceProvider(); announceProvider();
}); }
window.addEventListener("message", onProviderUuid);
window.addEventListener("eip6963:requestProvider", announceProvider); window.addEventListener("eip6963:requestProvider", announceProvider);
announceProvider(); announceProvider();