[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [taler-wallet-webex] branch master updated: prevent embeddi
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [taler-wallet-webex] branch master updated: prevent embedding wallet pages in other web pages |
|
Date: |
Wed, 07 Feb 2018 16:15:51 +0100 |
This is an automated email from the git hooks/post-receive script.
dold pushed a commit to branch master
in repository wallet-webex.
The following commit(s) were added to refs/heads/master by this push:
new f1bef047 prevent embedding wallet pages in other web pages
f1bef047 is described below
commit f1bef0473bf5e3f2661dd6ba82f6350164ff69ab
Author: Florian Dold <address@hidden>
AuthorDate: Wed Feb 7 16:15:40 2018 +0100
prevent embedding wallet pages in other web pages
---
gulpfile.js | 2 +-
manifest.json | 2 +-
src/i18n/de.po | 28 ++++++++++++++--------------
src/i18n/en-US.po | 28 ++++++++++++++--------------
src/i18n/fr.po | 28 ++++++++++++++--------------
src/i18n/it.po | 28 ++++++++++++++--------------
src/i18n/taler-wallet-webex.pot | 28 ++++++++++++++--------------
src/webex/pages/redirect.html | 14 ++++++++++++++
src/webex/pages/redirect.js | 12 ++++++++++++
src/webex/wxBackend.ts | 37 ++++++++++++++++++++++---------------
10 files changed, 120 insertions(+), 87 deletions(-)
diff --git a/gulpfile.js b/gulpfile.js
index f8e0c90f..f9ba97b7 100644
--- a/gulpfile.js
+++ b/gulpfile.js
@@ -73,7 +73,7 @@ const paths = {
"emscripten/taler-emscripten-lib.js",
"img/icon.png",
"img/logo.png",
- "src/**/*.{css,html}",
+ "src/**/*.{js,css,html}",
],
// for the source distribution
extra: [
diff --git a/manifest.json b/manifest.json
index 271cceeb..3df7aa68 100644
--- a/manifest.json
+++ b/manifest.json
@@ -50,7 +50,7 @@
],
"web_accessible_resources": [
- "src/*"
+ "src/webex/pages/redirect.html"
],
"background": {
diff --git a/src/i18n/de.po b/src/i18n/de.po
index 37748180..d96299de 100644
--- a/src/i18n/de.po
+++ b/src/i18n/de.po
@@ -206,41 +206,41 @@ msgstr ""
msgid "%1$s being spent\n"
msgstr ""
-#: src/webex/pages/popup.tsx:309
+#: src/webex/pages/popup.tsx:310
#, c-format
msgid "Error: could not retrieve balance information."
msgstr ""
-#: src/webex/pages/popup.tsx:336
+#: src/webex/pages/popup.tsx:337
#, c-format
msgid "Payback"
msgstr ""
-#: src/webex/pages/popup.tsx:337
+#: src/webex/pages/popup.tsx:338
#, c-format
msgid "Return Electronic Cash to Bank Account"
msgstr ""
-#: src/webex/pages/popup.tsx:338
+#: src/webex/pages/popup.tsx:339
#, c-format
msgid "Manage Trusted Auditors and Exchanges"
msgstr ""
-#: src/webex/pages/popup.tsx:350
+#: src/webex/pages/popup.tsx:351
#, fuzzy, c-format
msgid ""
"Bank requested reserve (%1$s) for\n"
" %2$s.\n"
msgstr "Bank bestätig anlegen der Reserve (%1$s) bei %2$s"
-#: src/webex/pages/popup.tsx:360
+#: src/webex/pages/popup.tsx:361
#, fuzzy, c-format
msgid ""
"Started to withdraw\n"
" %1$s%2$sfrom%3$s(%4$s).\n"
msgstr "Reserve (%1$s) mit %2$s bei %3$s erzeugt"
-#: src/webex/pages/popup.tsx:369
+#: src/webex/pages/popup.tsx:370
#, fuzzy, c-format
msgid "Merchant%1$soffered%2$scontract%3$s.\n"
msgstr ""
@@ -248,24 +248,24 @@ msgstr ""
" möchte einen Vertrag über %2$s\n"
" mit Ihnen abschließen."
-#: src/webex/pages/popup.tsx:380
+#: src/webex/pages/popup.tsx:381
#, fuzzy, c-format
msgid "Withdrew%1$sfrom%2$s(%3$s).\n"
msgstr "Reserve (%1$s) mit %2$s bei %3$s erzeugt"
-#: src/webex/pages/popup.tsx:390
+#: src/webex/pages/popup.tsx:391
#, fuzzy, c-format
msgid ""
"Paid%1$sto merchant%2$s.\n"
"%3$s(%4$s)\n"
msgstr "Reserve (%1$s) mit %2$s bei %3$s erzeugt"
-#: src/webex/pages/popup.tsx:400
+#: src/webex/pages/popup.tsx:401
#, c-format
msgid "Merchant%1$sgave a refund over%2$s.\n"
msgstr ""
-#: src/webex/pages/popup.tsx:410
+#: src/webex/pages/popup.tsx:411
#, fuzzy, c-format
msgid ""
"Merchant%1$sgave\n"
@@ -276,17 +276,17 @@ msgstr ""
" möchte einen Vertrag über %2$s\n"
" mit Ihnen abschließen."
-#: src/webex/pages/popup.tsx:420
+#: src/webex/pages/popup.tsx:421
#, c-format
msgid "Unknown event (%1$s)"
msgstr ""
-#: src/webex/pages/popup.tsx:463
+#: src/webex/pages/popup.tsx:464
#, c-format
msgid "Error: could not retrieve event history"
msgstr ""
-#: src/webex/pages/popup.tsx:488
+#: src/webex/pages/popup.tsx:489
#, c-format
msgid "Your wallet has no events recorded."
msgstr "Ihre Geldbörse verzeichnet keine Vorkommnisse."
diff --git a/src/i18n/en-US.po b/src/i18n/en-US.po
index c56d57f4..665b2771 100644
--- a/src/i18n/en-US.po
+++ b/src/i18n/en-US.po
@@ -206,63 +206,63 @@ msgstr ""
msgid "%1$s being spent\n"
msgstr ""
-#: src/webex/pages/popup.tsx:309
+#: src/webex/pages/popup.tsx:310
#, c-format
msgid "Error: could not retrieve balance information."
msgstr ""
-#: src/webex/pages/popup.tsx:336
+#: src/webex/pages/popup.tsx:337
#, c-format
msgid "Payback"
msgstr ""
-#: src/webex/pages/popup.tsx:337
+#: src/webex/pages/popup.tsx:338
#, c-format
msgid "Return Electronic Cash to Bank Account"
msgstr ""
-#: src/webex/pages/popup.tsx:338
+#: src/webex/pages/popup.tsx:339
#, c-format
msgid "Manage Trusted Auditors and Exchanges"
msgstr ""
-#: src/webex/pages/popup.tsx:350
+#: src/webex/pages/popup.tsx:351
#, c-format
msgid ""
"Bank requested reserve (%1$s) for\n"
" %2$s.\n"
msgstr ""
-#: src/webex/pages/popup.tsx:360
+#: src/webex/pages/popup.tsx:361
#, c-format
msgid ""
"Started to withdraw\n"
" %1$s%2$sfrom%3$s(%4$s).\n"
msgstr ""
-#: src/webex/pages/popup.tsx:369
+#: src/webex/pages/popup.tsx:370
#, c-format
msgid "Merchant%1$soffered%2$scontract%3$s.\n"
msgstr ""
-#: src/webex/pages/popup.tsx:380
+#: src/webex/pages/popup.tsx:381
#, c-format
msgid "Withdrew%1$sfrom%2$s(%3$s).\n"
msgstr ""
-#: src/webex/pages/popup.tsx:390
+#: src/webex/pages/popup.tsx:391
#, c-format
msgid ""
"Paid%1$sto merchant%2$s.\n"
"%3$s(%4$s)\n"
msgstr ""
-#: src/webex/pages/popup.tsx:400
+#: src/webex/pages/popup.tsx:401
#, c-format
msgid "Merchant%1$sgave a refund over%2$s.\n"
msgstr ""
-#: src/webex/pages/popup.tsx:410
+#: src/webex/pages/popup.tsx:411
#, c-format
msgid ""
"Merchant%1$sgave\n"
@@ -270,17 +270,17 @@ msgid ""
"%4$s%5$s"
msgstr ""
-#: src/webex/pages/popup.tsx:420
+#: src/webex/pages/popup.tsx:421
#, c-format
msgid "Unknown event (%1$s)"
msgstr ""
-#: src/webex/pages/popup.tsx:463
+#: src/webex/pages/popup.tsx:464
#, c-format
msgid "Error: could not retrieve event history"
msgstr ""
-#: src/webex/pages/popup.tsx:488
+#: src/webex/pages/popup.tsx:489
#, c-format
msgid "Your wallet has no events recorded."
msgstr ""
diff --git a/src/i18n/fr.po b/src/i18n/fr.po
index b5b7259e..4a50742b 100644
--- a/src/i18n/fr.po
+++ b/src/i18n/fr.po
@@ -206,63 +206,63 @@ msgstr ""
msgid "%1$s being spent\n"
msgstr ""
-#: src/webex/pages/popup.tsx:309
+#: src/webex/pages/popup.tsx:310
#, c-format
msgid "Error: could not retrieve balance information."
msgstr ""
-#: src/webex/pages/popup.tsx:336
+#: src/webex/pages/popup.tsx:337
#, c-format
msgid "Payback"
msgstr ""
-#: src/webex/pages/popup.tsx:337
+#: src/webex/pages/popup.tsx:338
#, c-format
msgid "Return Electronic Cash to Bank Account"
msgstr ""
-#: src/webex/pages/popup.tsx:338
+#: src/webex/pages/popup.tsx:339
#, c-format
msgid "Manage Trusted Auditors and Exchanges"
msgstr ""
-#: src/webex/pages/popup.tsx:350
+#: src/webex/pages/popup.tsx:351
#, c-format
msgid ""
"Bank requested reserve (%1$s) for\n"
" %2$s.\n"
msgstr ""
-#: src/webex/pages/popup.tsx:360
+#: src/webex/pages/popup.tsx:361
#, c-format
msgid ""
"Started to withdraw\n"
" %1$s%2$sfrom%3$s(%4$s).\n"
msgstr ""
-#: src/webex/pages/popup.tsx:369
+#: src/webex/pages/popup.tsx:370
#, c-format
msgid "Merchant%1$soffered%2$scontract%3$s.\n"
msgstr ""
-#: src/webex/pages/popup.tsx:380
+#: src/webex/pages/popup.tsx:381
#, c-format
msgid "Withdrew%1$sfrom%2$s(%3$s).\n"
msgstr ""
-#: src/webex/pages/popup.tsx:390
+#: src/webex/pages/popup.tsx:391
#, c-format
msgid ""
"Paid%1$sto merchant%2$s.\n"
"%3$s(%4$s)\n"
msgstr ""
-#: src/webex/pages/popup.tsx:400
+#: src/webex/pages/popup.tsx:401
#, c-format
msgid "Merchant%1$sgave a refund over%2$s.\n"
msgstr ""
-#: src/webex/pages/popup.tsx:410
+#: src/webex/pages/popup.tsx:411
#, c-format
msgid ""
"Merchant%1$sgave\n"
@@ -270,17 +270,17 @@ msgid ""
"%4$s%5$s"
msgstr ""
-#: src/webex/pages/popup.tsx:420
+#: src/webex/pages/popup.tsx:421
#, c-format
msgid "Unknown event (%1$s)"
msgstr ""
-#: src/webex/pages/popup.tsx:463
+#: src/webex/pages/popup.tsx:464
#, c-format
msgid "Error: could not retrieve event history"
msgstr ""
-#: src/webex/pages/popup.tsx:488
+#: src/webex/pages/popup.tsx:489
#, c-format
msgid "Your wallet has no events recorded."
msgstr ""
diff --git a/src/i18n/it.po b/src/i18n/it.po
index b5b7259e..4a50742b 100644
--- a/src/i18n/it.po
+++ b/src/i18n/it.po
@@ -206,63 +206,63 @@ msgstr ""
msgid "%1$s being spent\n"
msgstr ""
-#: src/webex/pages/popup.tsx:309
+#: src/webex/pages/popup.tsx:310
#, c-format
msgid "Error: could not retrieve balance information."
msgstr ""
-#: src/webex/pages/popup.tsx:336
+#: src/webex/pages/popup.tsx:337
#, c-format
msgid "Payback"
msgstr ""
-#: src/webex/pages/popup.tsx:337
+#: src/webex/pages/popup.tsx:338
#, c-format
msgid "Return Electronic Cash to Bank Account"
msgstr ""
-#: src/webex/pages/popup.tsx:338
+#: src/webex/pages/popup.tsx:339
#, c-format
msgid "Manage Trusted Auditors and Exchanges"
msgstr ""
-#: src/webex/pages/popup.tsx:350
+#: src/webex/pages/popup.tsx:351
#, c-format
msgid ""
"Bank requested reserve (%1$s) for\n"
" %2$s.\n"
msgstr ""
-#: src/webex/pages/popup.tsx:360
+#: src/webex/pages/popup.tsx:361
#, c-format
msgid ""
"Started to withdraw\n"
" %1$s%2$sfrom%3$s(%4$s).\n"
msgstr ""
-#: src/webex/pages/popup.tsx:369
+#: src/webex/pages/popup.tsx:370
#, c-format
msgid "Merchant%1$soffered%2$scontract%3$s.\n"
msgstr ""
-#: src/webex/pages/popup.tsx:380
+#: src/webex/pages/popup.tsx:381
#, c-format
msgid "Withdrew%1$sfrom%2$s(%3$s).\n"
msgstr ""
-#: src/webex/pages/popup.tsx:390
+#: src/webex/pages/popup.tsx:391
#, c-format
msgid ""
"Paid%1$sto merchant%2$s.\n"
"%3$s(%4$s)\n"
msgstr ""
-#: src/webex/pages/popup.tsx:400
+#: src/webex/pages/popup.tsx:401
#, c-format
msgid "Merchant%1$sgave a refund over%2$s.\n"
msgstr ""
-#: src/webex/pages/popup.tsx:410
+#: src/webex/pages/popup.tsx:411
#, c-format
msgid ""
"Merchant%1$sgave\n"
@@ -270,17 +270,17 @@ msgid ""
"%4$s%5$s"
msgstr ""
-#: src/webex/pages/popup.tsx:420
+#: src/webex/pages/popup.tsx:421
#, c-format
msgid "Unknown event (%1$s)"
msgstr ""
-#: src/webex/pages/popup.tsx:463
+#: src/webex/pages/popup.tsx:464
#, c-format
msgid "Error: could not retrieve event history"
msgstr ""
-#: src/webex/pages/popup.tsx:488
+#: src/webex/pages/popup.tsx:489
#, c-format
msgid "Your wallet has no events recorded."
msgstr ""
diff --git a/src/i18n/taler-wallet-webex.pot b/src/i18n/taler-wallet-webex.pot
index b5b7259e..4a50742b 100644
--- a/src/i18n/taler-wallet-webex.pot
+++ b/src/i18n/taler-wallet-webex.pot
@@ -206,63 +206,63 @@ msgstr ""
msgid "%1$s being spent\n"
msgstr ""
-#: src/webex/pages/popup.tsx:309
+#: src/webex/pages/popup.tsx:310
#, c-format
msgid "Error: could not retrieve balance information."
msgstr ""
-#: src/webex/pages/popup.tsx:336
+#: src/webex/pages/popup.tsx:337
#, c-format
msgid "Payback"
msgstr ""
-#: src/webex/pages/popup.tsx:337
+#: src/webex/pages/popup.tsx:338
#, c-format
msgid "Return Electronic Cash to Bank Account"
msgstr ""
-#: src/webex/pages/popup.tsx:338
+#: src/webex/pages/popup.tsx:339
#, c-format
msgid "Manage Trusted Auditors and Exchanges"
msgstr ""
-#: src/webex/pages/popup.tsx:350
+#: src/webex/pages/popup.tsx:351
#, c-format
msgid ""
"Bank requested reserve (%1$s) for\n"
" %2$s.\n"
msgstr ""
-#: src/webex/pages/popup.tsx:360
+#: src/webex/pages/popup.tsx:361
#, c-format
msgid ""
"Started to withdraw\n"
" %1$s%2$sfrom%3$s(%4$s).\n"
msgstr ""
-#: src/webex/pages/popup.tsx:369
+#: src/webex/pages/popup.tsx:370
#, c-format
msgid "Merchant%1$soffered%2$scontract%3$s.\n"
msgstr ""
-#: src/webex/pages/popup.tsx:380
+#: src/webex/pages/popup.tsx:381
#, c-format
msgid "Withdrew%1$sfrom%2$s(%3$s).\n"
msgstr ""
-#: src/webex/pages/popup.tsx:390
+#: src/webex/pages/popup.tsx:391
#, c-format
msgid ""
"Paid%1$sto merchant%2$s.\n"
"%3$s(%4$s)\n"
msgstr ""
-#: src/webex/pages/popup.tsx:400
+#: src/webex/pages/popup.tsx:401
#, c-format
msgid "Merchant%1$sgave a refund over%2$s.\n"
msgstr ""
-#: src/webex/pages/popup.tsx:410
+#: src/webex/pages/popup.tsx:411
#, c-format
msgid ""
"Merchant%1$sgave\n"
@@ -270,17 +270,17 @@ msgid ""
"%4$s%5$s"
msgstr ""
-#: src/webex/pages/popup.tsx:420
+#: src/webex/pages/popup.tsx:421
#, c-format
msgid "Unknown event (%1$s)"
msgstr ""
-#: src/webex/pages/popup.tsx:463
+#: src/webex/pages/popup.tsx:464
#, c-format
msgid "Error: could not retrieve event history"
msgstr ""
-#: src/webex/pages/popup.tsx:488
+#: src/webex/pages/popup.tsx:489
#, c-format
msgid "Your wallet has no events recorded."
msgstr ""
diff --git a/src/webex/pages/redirect.html b/src/webex/pages/redirect.html
new file mode 100644
index 00000000..9d07d3d2
--- /dev/null
+++ b/src/webex/pages/redirect.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <meta charset="utf-8">
+
+ <script src="/src/webex/pages/redirect.js"></script>
+</head>
+
+<body>
+ Redirecting to extension page ...
+</body>
+
+</html>
diff --git a/src/webex/pages/redirect.js b/src/webex/pages/redirect.js
new file mode 100644
index 00000000..5a758cce
--- /dev/null
+++ b/src/webex/pages/redirect.js
@@ -0,0 +1,12 @@
+/**
+ * This is the entry point for redirects, and should be the only
+ * web-accessible resource declared in the manifest. This prevents
+ * malicious websites from embedding wallet pages in them.
+ *
+ * We still need this redirect page since a webRequest can only directly
+ * redirect to pages inside the extension that are a web-accessible resource.
+ */
+
+
+const myUrl = new URL(window.location.href);
+window.location.replace(myUrl.searchParams.get("url"));
diff --git a/src/webex/wxBackend.ts b/src/webex/wxBackend.ts
index a778cc98..f1116637 100644
--- a/src/webex/wxBackend.ts
+++ b/src/webex/wxBackend.ts
@@ -449,6 +449,21 @@ async function talerPay(fields: any, url: string, tabId:
number): Promise<string
}
+function makeSyncWalletRedirect(url: string, params?: {[name: string]: string
| undefined}): object {
+ const innerUrl = new URI(chrome.extension.getURL("/src/webex/pages/" + url));
+ if (params) {
+ for (const key in params) {
+ if (params[key]) {
+ innerUrl.addSearch(key, params[key]);
+ }
+ }
+ }
+ const outerUrl = new
URI(chrome.extension.getURL("/src/webex/pages/redirect.html"));
+ outerUrl.addSearch("url", innerUrl);
+ return { redirectUrl: outerUrl.href() };
+}
+
+
/**
* Handle a HTTP response that has the "402 Payment Required" status.
* In this callback we don't have access to the body, and must communicate via
@@ -497,30 +512,22 @@ function handleHttpPayment(headerList:
chrome.webRequest.HttpHeader[], url: stri
}
// Synchronous fast path for new contract
if (fields.contract_url) {
- const uri = new
URI(chrome.extension.getURL("/src/webex/pages/confirm-contract.html"));
- uri.addSearch("contractUrl", fields.contract_url);
- if (fields.session_id) {
- uri.addSearch("sessionId", fields.session_id);
- }
- if (fields.resource_url) {
- uri.addSearch("resourceUrl", fields.resource_url);
- }
- return { redirectUrl: uri.href() };
+ return makeSyncWalletRedirect("confirm-contract.html", {
+ contractUrl: fields.contract_url,
+ sessionId: fields.session_id,
+ resourceUrl: fields.resource_url,
+ });
}
// Synchronous fast path for tip
if (fields.tip) {
- const uri = new URI(chrome.extension.getURL("/src/webex/pages/tip.html"));
- uri.query({ tip_token: fields.tip });
- return { redirectUrl: uri.href() };
+ return makeSyncWalletRedirect("tip.html", { tip_token: fields.tip });
}
// Synchronous fast path for refund
if (fields.refund_url) {
console.log("processing refund");
- const uri = new
URI(chrome.extension.getURL("/src/webex/pages/refund.html"));
- uri.query({ refundUrl: fields.refund_url });
- return { redirectUrl: uri.href() };
+ return makeSyncWalletRedirect("refund.html", { refundUrl:
fields.refund_url });
}
// We need to do some asynchronous operation, we can't directly redirect
--
To stop receiving notification emails like this one, please contact
address@hidden
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] [taler-wallet-webex] branch master updated: prevent embedding wallet pages in other web pages,
gnunet <=