Merge pull request #2995 from stianst/KEYCLOAK-2617

KEYCLOAK-2617 Ignore postmessages if not initiated by keycloak.js
2016-07-04 19:19:34 +02:00 · 2016-07-04 19:19:34 +02:00 · dd6434a487
commit dd6434a487
parent 842b811a41 f3a780cc2d
1 changed files with 16 additions and 2 deletions
--- a/adapters/oidc/js/src/main/resources/keycloak.js
+++ b/adapters/oidc/js/src/main/resources/keycloak.js
@ -792,8 +792,22 @@
                if (event.origin !== loginIframe.iframeOrigin) {
                    return;
                }
+
+                try {
                    var data = JSON.parse(event.data);
+                } catch (err) {
+                    return;
+                }
+
+                if (!data.callbackId) {
+                    return;
+                }
+
                var promise = loginIframe.callbackMap[data.callbackId];
+                if (!promise) {
+                    return;
+                }
+
                delete loginIframe.callbackMap[data.callbackId];

                if ((!kc.sessionId || kc.sessionId == data.session) && data.loggedIn) {