libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

Check for 3rd-party storage access in ifames (#14680)

Browse source 
Closes #14466
This commit is contained in:
Jon Koops 2022-10-06 10:22:47 +02:00 committed by GitHub
parent 2ca23526ad
commit a670e1d965
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 136 additions and 148 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
adapters/oidc/js/static/3p-cookies-step1.html
View file

@ -1,27 +1,31 @@
<!--
~ Copyright 2020 Red Hat, Inc. and/or its affiliates
~ and other contributors as indicated by the @author tags.
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<!DOCTYPE html>
<html>
<body>
<script>
document.cookie = "KEYCLOAK_3P_COOKIE_SAMESITE=supported; max-age=60; samesite=none; secure"
document.cookie = "KEYCLOAK_3P_COOKIE=supported; max-age=60"
window.location = "step2.html"
</script>
</body>
<head>
<meta charset="utf-8" />
</head>
<body>
<script>
if ("hasStorageAccess" in document) {
checkStorageAccess();
} else {
placeTestCookie();
}
function checkStorageAccess() {
document.hasStorageAccess().then(function (hasAccess) {
window.parent.postMessage(
hasAccess ? "supported" : "unsupported",
"*"
);
});
}
function placeTestCookie() {
document.cookie =
"KEYCLOAK_3P_COOKIE_SAMESITE=supported; Max-Age=60; SameSite=None; Secure";
document.cookie = "KEYCLOAK_3P_COOKIE=supported; Max-Age=60";
window.location = "step2.html";
}
</script>
</body>
</html>

44
adapters/oidc/js/static/3p-cookies-step2.html
View file

@ -1,32 +1,18 @@
<!--
~ Copyright 2020 Red Hat, Inc. and/or its affiliates
~ and other contributors as indicated by the @author tags.
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<!DOCTYPE html>
<html>
<body>
<script>
if (document.cookie.indexOf("KEYCLOAK_3P_COOKIE") !== -1) {
document.cookie = "KEYCLOAK_3P_COOKIE_SAMESITE=; expires=Thu, 01 Jan 1970 00:00:00 GMT; secure"
document.cookie = "KEYCLOAK_3P_COOKIE=; expires=Thu, 01 Jan 1970 00:00:00 GMT"
window.parent.postMessage("supported", "*")
}
else {
window.parent.postMessage("unsupported", "*")
}
</script>
</body>
<head>
<meta charset="utf-8" />
</head>
<body>
<script>
var hasAccess = document.cookie.indexOf("KEYCLOAK_3P_COOKIE") !== -1;
if (hasAccess) {
document.cookie = "KEYCLOAK_3P_COOKIE_SAMESITE=; Max-Age=0";
document.cookie = "KEYCLOAK_3P_COOKIE=; Max-Age=0";
}
window.parent.postMessage(hasAccess ? "supported" : "unsupported", "*");
</script>
</body>
</html>

184
adapters/oidc/js/static/login-status-iframe.html
View file

@ -1,127 +1,125 @@
<!--
~ Copyright 2016 Red Hat, Inc. and/or its affiliates
~ and other contributors as indicated by the @author tags.
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<!DOCTYPE html>
<html>
<body>
<script>
var init;
<head>
<meta charset="utf-8" />
</head>
<body>
<script>
var init;
function checkState(clientId, origin, sessionState, callback) {
function checkState(clientId, origin, sessionState, callback) {
var cookie = getCookie();
var checkCookie = function() {
if (clientId === init.clientId && origin === init.origin) {
var c = cookie.split('/');
if (sessionState === c[2]) {
callback('unchanged');
} else {
callback('changed');
}
var checkCookie = function () {
if (clientId === init.clientId && origin === init.origin) {
var c = cookie.split("/");
if (sessionState === c[2]) {
callback("unchanged");
} else {
callback('error');
callback("changed");
}
}
} else {
callback("error");
}
};
if (!init) {
var req = new XMLHttpRequest();
var req = new XMLHttpRequest();
var url = location.href.split("?")[0] + "/init";
url += "?client_id=" + encodeURIComponent(clientId);
url += "&origin=" + encodeURIComponent(origin);
var url = location.href.split("?")[0] + "/init";
url += "?client_id=" + encodeURIComponent(clientId);
url += "&origin=" + encodeURIComponent(origin);
req.open('GET', url, true);
req.open("GET", url, true);
req.onreadystatechange = function () {
if (req.readyState === 4) {
if (req.status === 204 || req.status === 1223) {
init = {
clientId: clientId,
origin: origin
}
if (!cookie) {
if (sessionState != '') {
callback('changed');
} else {
callback('unchanged');
}
} else {
checkCookie();
}
} else {
callback('error');
}
req.onreadystatechange = function () {
if (req.readyState === 4) {
if (req.status === 204 || req.status === 1223) {
init = {
clientId: clientId,
origin: origin,
};
if (!cookie) {
if (sessionState != "") {
callback("changed");
} else {
callback("unchanged");
}
} else {
checkCookie();
}
};
req.send();
} else if (!cookie) {
if (sessionState != '') {
callback('changed');
} else {
callback('unchanged');
} else {
callback("error");
}
}
} else {
checkCookie();
}
}
};
function getCookie()
{
var cookie = getCookieByName('KEYCLOAK_SESSION');
req.send();
} else if (!cookie) {
if (sessionState != "") {
callback("changed");
} else {
callback("unchanged");
}
} else {
checkCookie();
}
}
function getCookie() {
var cookie = getCookieByName("KEYCLOAK_SESSION");
if (cookie === null) {
return getCookieByName('KEYCLOAK_SESSION_LEGACY');
return getCookieByName("KEYCLOAK_SESSION_LEGACY");
}
return cookie;
}
}
function getCookieByName(name)
{
name = name + '=';
var ca = document.cookie.split(';');
for(var i=0; i<ca.length; i++)
{
var c = ca[i].trim();
if (c.indexOf(name)===0) return c.substring(name.length,c.length);
function getCookieByName(name) {
name = name + "=";
var ca = document.cookie.split(";");
for (var i = 0; i < ca.length; i++) {
var c = ca[i].trim();
if (c.indexOf(name) === 0) return c.substring(name.length, c.length);
}
return null;
}
}
function receiveMessage(event)
{
if (typeof event.data !== 'string') {
return
function receiveMessage(event) {
if (typeof event.data !== "string") {
return;
}
var origin = event.origin;
var data = event.data.split(' ');
var data = event.data.split(" ");
if (data.length != 2) {
return;
return;
}
var clientId = data[0];
var sessionState = data[1];
checkState(clientId, event.origin, sessionState, function(result) {
function doStateCheck() {
checkState(clientId, event.origin, sessionState, function (result) {
event.source.postMessage(result, origin);
});
}
});
}
window.addEventListener("message", receiveMessage, false);
</script>
</body>
if (!("hasStorageAccess" in document)) {
doStateCheck();
return;
}
document.hasStorageAccess().then(function (hasAccess) {
if (!hasAccess) {
event.source.postMessage("error");
return;
}
doStateCheck();
});
}
window.addEventListener("message", receiveMessage, false);
</script>
</body>
</html>