Verify message comes from loginIframe
In the current implementation a message coming from any window on the same origin may cause the refresh token to be cleared. In my case, messages generated by a chrome extension were causing the application to logout unexpectedly. With additional condition only messages coming from the login iFrame will be processed. Another suggestion would be changing the condition `event.data != "unchanged"` to something more specific.
This commit is contained in:
parent
4845286e04
commit
a82278dcbf
1 changed files with 2 additions and 1 deletions
|
@ -832,10 +832,11 @@
|
||||||
document.body.appendChild(iframe);
|
document.body.appendChild(iframe);
|
||||||
|
|
||||||
var messageCallback = function(event) {
|
var messageCallback = function(event) {
|
||||||
if (event.origin !== loginIframe.iframeOrigin) {
|
if ((event.origin !== loginIframe.iframeOrigin) || (loginIframe.iframe.contentWindow !== event.source)) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
if (event.data != "unchanged") {
|
if (event.data != "unchanged") {
|
||||||
kc.clearToken();
|
kc.clearToken();
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue