Verify message comes from loginIframe

In the current implementation a message coming from any window on the same origin may cause the refresh token to be cleared.
In my case, messages generated by a chrome extension were causing the application to logout unexpectedly. With additional condition only messages coming from the login iFrame will be processed. Another suggestion would be changing the condition `event.data != "unchanged"` to something more specific.
This commit is contained in:
diego0020 2017-04-04 16:32:21 -05:00 committed by GitHub
parent 4845286e04
commit a82278dcbf

View file

@ -832,10 +832,11 @@
document.body.appendChild(iframe); document.body.appendChild(iframe);
var messageCallback = function(event) { var messageCallback = function(event) {
if (event.origin !== loginIframe.iframeOrigin) { if ((event.origin !== loginIframe.iframeOrigin) || (loginIframe.iframe.contentWindow !== event.source)) {
return; return;
} }
if (event.data != "unchanged") { if (event.data != "unchanged") {
kc.clearToken(); kc.clearToken();
} }