notes plugin allows messsages from current/upcoming slide windows

Spotrix · Mar 21, 2022 · 0247ae7 · 0247ae7
1 parent 3140708
commit 0247ae7
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 5 deletions.
diff --git a/plugin/notes/notes.esm.js b/plugin/notes/notes.esm.js
diff --git a/plugin/notes/notes.js b/plugin/notes/notes.js
diff --git a/plugin/notes/plugin.js b/plugin/notes/plugin.js
@@ -203,6 +203,7 @@ const Plugin = () => {
 					// that we remain connected to the notes even if the presentation
 					// is reloaded.
 					window.addEventListener( 'message', event => {
+
 						if( !speakerWindow && typeof event.data === 'string' ) {
 							let data;
 

diff --git a/plugin/notes/speaker-view.html b/plugin/notes/speaker-view.html
@@ -350,7 +350,8 @@ <h4 class="label">Notes</h4>
 					layoutDropdown,
 					pendingCalls = {},
 					lastRevealApiCallId = 0,
-					connected = false;
+					connected = false,
+					whitelistedWindows = [window.opener];
 
 				var SPEAKER_LAYOUTS = {
 					'default': 'Default',
@@ -368,8 +369,8 @@ <h4 class="label">Notes</h4>
 ;
 				window.addEventListener( 'message', function( event ) {
 
-					// Validate the origin of this message to avoid XSS
-					if( window.location.origin !== event.origin && event.source !== window.opener ) {
+					// Validate the origin of this message to prevent XSS
+					if( window.location.origin !== event.origin && whitelistedWindows.indexOf( event.source ) === -1 ) {
 						return;
 					}
 
@@ -538,6 +539,8 @@ <h4 class="label">Notes</h4>
 					upcomingSlide.setAttribute( 'src', upcomingURL );
 					document.querySelector( '#upcoming-slide' ).appendChild( upcomingSlide );
 
+					whitelistedWindows.push( currentSlide.contentWindow, upcomingSlide.contentWindow );
+
 				}
 
 				/**