Commit af55262
security: whitelist message types in content script relay
Add an ALLOWED_TYPES whitelist to validate the type field from page
events before forwarding to the background script. Previously, the
type field came directly from the page with no validation, and the
spread operator forwarded arbitrary fields, allowing a malicious page
to invoke internal extension message handlers or inject unexpected
data. Now only known NIP message types are forwarded, and only safe
fields per message type are included in the forwarded message.
Co-Authored-By: claude-flow <ruv@ruv.net>1 parent b83f414 commit af55262
1 file changed
Lines changed: 32 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
314 | 314 | | |
315 | 315 | | |
316 | 316 | | |
| 317 | + | |
| 318 | + | |
| 319 | + | |
| 320 | + | |
| 321 | + | |
| 322 | + | |
| 323 | + | |
| 324 | + | |
| 325 | + | |
| 326 | + | |
| 327 | + | |
317 | 328 | | |
318 | 329 | | |
319 | 330 | | |
320 | 331 | | |
321 | 332 | | |
322 | 333 | | |
| 334 | + | |
| 335 | + | |
| 336 | + | |
| 337 | + | |
| 338 | + | |
| 339 | + | |
| 340 | + | |
| 341 | + | |
| 342 | + | |
| 343 | + | |
| 344 | + | |
| 345 | + | |
| 346 | + | |
| 347 | + | |
| 348 | + | |
| 349 | + | |
| 350 | + | |
| 351 | + | |
| 352 | + | |
323 | 353 | | |
324 | | - | |
| 354 | + | |
325 | 355 | | |
326 | 356 | | |
327 | | - | |
| 357 | + | |
328 | 358 | | |
329 | 359 | | |
330 | 360 | | |
| |||
0 commit comments