This repository was archived by the owner on Sep 11, 2024. It is now read-only.
Fix OpenID requests from widgets #4459
Merged
+6
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes element-hq/element-web#13131 Widgets can request an OpenID token to authenticate the user when the widget is missing authentication information. A common case for this is the Dimension sticker picker: sometimes the Riot is running in doesn't have the configuration to match the Dimension instance, so Riot rightly refuses to send an auth token to the widget. When this happens, it requests a token through postMessage(). There's a toggle on the permission dialog to remember the setting, which is the widget's security key. As an added measure, the security key generation ensures the widget URL matches as the 'remember this choice' toggle will silently work in the background, and it could be dangerous if the widget's URL changed and Riot secretly allows the widget to identify the user. This check was failing because the WidgetMessaging class was being set up with the rendered URL, which will not match the widget's URL at all. To fix this, we simply use the widget's URL to set up the messaging, which by proxy uses the right URL in calculating the security key.
jryans
approved these changes
Apr 23, 2020
Collaborator
jryans
left a comment
jryans
left a comment
There was a problem hiding this comment.
Thanks for the detailed explanation. It seems safe given that info. 😁
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes element-hq/element-web#13131
The rest of this PR description is additional information not defined in the diff. It's largely for reference by those who might have no idea what this is.
Widgets can request an OpenID token to authenticate the user when the widget is missing authentication information. A common case for this is the Dimension sticker picker: sometimes the Riot is running in doesn't have the configuration to match the Dimension instance, so Riot rightly refuses to send an auth token to the widget. When this happens, it requests a token through postMessage().
There's a toggle on the permission dialog to remember the setting, which is the widget's security key. As an added measure, the security key generation ensures the widget URL matches as the 'remember this choice' toggle will silently work in the background, and it could be dangerous if the widget's URL changed and Riot secretly allows the widget to identify the user. This check was failing because the WidgetMessaging class was being set up with the rendered URL, which will not match the widget's URL at all. To fix this, we simply use the widget's URL to set up the messaging, which by proxy uses the right URL in calculating the security key.
Edit: the dialog, though irrelevant for this PR:
