diff --git a/src/ConfigContext.ts b/src/ConfigContext.ts index 5fc2d889a..bcf994e9f 100644 --- a/src/ConfigContext.ts +++ b/src/ConfigContext.ts @@ -31,10 +31,11 @@ interface ConfigContext { let configContext: Readonly = { platform: Platform.Portal, allowedParentFrameOrigins: [ - `^https:\\/\\/cosmos.azure.(com|cn|us)$`, - `^https:\\/\\/[\\.\\w]+.portal.azure.(com|cn|us)$`, - `^https:\\/\\/[\\.\\w]+.ext.azure.(com|cn|us)$`, - `^https:\\/\\/[\\.\\w]+microsoftazure.de$` + `^https:\\/\\/cosmos\\.azure\\.(com|cn|us)$`, + `^https:\\/\\/[\\.\\w]*portal\\.azure\\.(com|cn|us)$`, + `^https:\\/\\/[\\.\\w]*ext\\.azure\\.(com|cn|us)$`, + `^https:\\/\\/[\\.\\w]*\\.ext\\.microsoftazure\\.de$`, + `^https://cosmos-db-dataexplorer-germanycentral.azurewebsites.de$` ], // Webpack injects this at build time gitSha: process.env.GIT_SHA, diff --git a/src/Utils/MessageValidation.test.ts b/src/Utils/MessageValidation.test.ts index bc205241f..650986d53 100644 --- a/src/Utils/MessageValidation.test.ts +++ b/src/Utils/MessageValidation.test.ts @@ -1,21 +1,25 @@ import { isInvalidParentFrameOrigin } from "./MessageValidation"; test.each` - domain | expected - ${"https://cosmos.azure.com"} | ${false} - ${"https://cosmos.azure.us"} | ${false} - ${"https://cosmos.azure.cn"} | ${false} - ${"https://cosmos.microsoftazure.de"} | ${false} - ${"https://subdomain.portal.azure.com"} | ${false} - ${"https://subdomain.portal.azure.us"} | ${false} - ${"https://subdomain.portal.azure.cn"} | ${false} - ${"https://subdomain.microsoftazure.de"} | ${false} - ${"https://main.documentdb.ext.azure.com"} | ${false} - ${"https://main.documentdb.ext.azure.us"} | ${false} - ${"https://main.documentdb.ext.azure.cn"} | ${false} - ${"https://main.documentdb.ext.microsoftazure.de"} | ${false} - ${"https://random.domain"} | ${true} - ${"https://malicious.cloudapp.azure.com"} | ${true} + domain | expected + ${"https://cosmos.azure.com"} | ${false} + ${"https://cosmos.azure.us"} | ${false} + ${"https://cosmos.azure.cn"} | ${false} + ${"https://portal.azure.com"} | ${false} + ${"https://portal.azure.us"} | ${false} + ${"https://portal.azure.cn"} | ${false} + ${"https://subdomain.portal.azure.com"} | ${false} + ${"https://subdomain.portal.azure.us"} | ${false} + ${"https://subdomain.portal.azure.cn"} | ${false} + ${"https://main.documentdb.ext.azure.com"} | ${false} + ${"https://main.documentdb.ext.azure.us"} | ${false} + ${"https://main.documentdb.ext.azure.cn"} | ${false} + ${"https://main.documentdb.ext.microsoftazure.de"} | ${false} + ${"https://random.domain"} | ${true} + ${"https://malicious.cloudapp.azure.com"} | ${true} + ${"https://malicious.germanycentral.cloudapp.microsoftazure.de"} | ${true} + ${"https://maliciousazure.com"} | ${true} + ${"https://maliciousportalsazure.com"} | ${true} `("returns $expected when called with $domain", ({ domain, expected }) => { expect(isInvalidParentFrameOrigin({ origin: domain } as MessageEvent)).toBe(expected); }); diff --git a/src/Utils/MessageValidation.ts b/src/Utils/MessageValidation.ts index 5d7cd9931..215f4db76 100644 --- a/src/Utils/MessageValidation.ts +++ b/src/Utils/MessageValidation.ts @@ -17,5 +17,6 @@ function isValidOrigin(allowedOrigins: string[], event: MessageEvent): boolean { return true; } } + console.error(`Invalid parent frame origin detected: ${eventOrigin}`); return false; }