security: derive RPC origin from sender instead of trusting msg.origin

2026-02-27 11:35:31 -08:00
parent 13e2bdb0b0
commit d59ebfd461
1 changed files with 13 additions and 1 deletions
--- a/src/background/index.js
+++ b/src/background/index.js
@@ -617,7 +617,19 @@ if (windowsApi && windowsApi.onRemoved) {
 // Listen for messages from content scripts and popup
 runtime.onMessage.addListener((msg, sender, sendResponse) => {
    if (msg.type === "AUTISTMASK_RPC") {
-        handleRpc(msg.method, msg.params, msg.origin).then((response) => {
+        // Derive origin from trusted sender info to prevent origin spoofing.
+        // Chrome MV3 provides sender.origin; Firefox MV2 fallback uses sender.tab.url.
+        let trustedOrigin = msg.origin; // fallback only if sender info unavailable
+        if (sender.origin) {
+            trustedOrigin = sender.origin;
+        } else if (sender.tab && sender.tab.url) {
+            try {
+                trustedOrigin = new URL(sender.tab.url).origin;
+            } catch {
+                // keep fallback
+            }
+        }
+        handleRpc(msg.method, msg.params, trustedOrigin).then((response) => {
            sendResponse(response);
        });
        return true;