Merge pull request #196 from hypothesis/host-settings-whitelist

Only import known config params from the host page

Merge pull request #196 from hypothesis/host-settings-whitelist
Only import known config params from the host page
532dcaab · Sean Roberts · GitHub · 9d639fea · b2e86aaf · 532dcaab
Commit 532dcaab authored Jan 24, 2017 by Sean Roberts Committed by GitHub Jan 24, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 83 additions and 6 deletions

app.js src/sidebar/app.js +5 -6

host-config.js src/sidebar/host-config.js +39 -0

host-config-test.js src/sidebar/test/host-config-test.js +39 -0

No files found.
--- a/src/sidebar/app.js
+++ b/src/sidebar/app.js
 'use strict';

-var queryString = require('query-string');
-
 var addAnalytics = require('./ga');
 require('../shared/polyfills');

 var raven;

-// Initialize Raven. This is required at the top of this file
-// so that it happens early in the app's startup flow
-var configParam = queryString.parse(window.location.search).config || 'null';
 var settings = require('../shared/settings')(document);
-Object.assign(settings, JSON.parse(configParam));
 if (settings.raven) {
+  // Initialize Raven. This is required at the top of this file
+  // so that it happens early in the app's startup flow
  raven = require('./raven');
  raven.init(settings.raven);
 }

+var hostPageConfig = require('./host-config');
+Object.assign(settings, hostPageConfig(window));
+
 // Disable Angular features that are not compatible with CSP.
 //
 // See https://docs.angularjs.org/api/ng/directive/ngCsp

--- a/src/sidebar/host-config.js
+++ b/src/sidebar/host-config.js
+'use strict';
+
+var queryString = require('query-string');
+
+/**
+ * Return the app configuration specified by the frame embedding the Hypothesis
+ * client.
+ */
+function hostPageConfig(window) {
+  var configJSON = queryString.parse(window.location.search).config;
+  var config = JSON.parse(configJSON || '{}');
+
+  // Known configuration parameters which we will import from the host page.
+  // Note that since the host page is untrusted code, the filtering needs to
+  // be done here.
+  var paramWhiteList = [
+    // Direct-linked annotation ID
+    'annotations',
+
+    // Config param added by the extension, Via etc.  indicating how Hypothesis
+    // was added to the page.
+    'appType',
+
+    // Config params documented at
+    // https://github.com/hypothesis/client/blob/master/docs/config.md
+    'openLoginForm',
+    'openSidebar',
+    'showHighlights',
+  ];
+
+  return Object.keys(config).reduce(function (result, key) {
+    if (paramWhiteList.indexOf(key) !== -1) {
+      result[key] = config[key];
+    }
+    return result;
+  }, {});
+}
+
+module.exports = hostPageConfig;
--- a/src/sidebar/test/host-config-test.js
+++ b/src/sidebar/test/host-config-test.js
+'use strict';
+
+var hostPageConfig = require('../host-config');
+
+function fakeWindow(config) {
+  return {
+    location: {
+      search: '?config=' + JSON.stringify(config),
+    },
+  };
+}
+
+describe('hostPageConfig', function () {
+  it('parses config from location string and returns whitelisted params', function () {
+    var window_ = fakeWindow({
+      annotations: '1234',
+      appType: 'bookmarklet',
+      openSidebar: true,
+      openLoginForm: true,
+      showHighlights: true,
+    });
+
+    assert.deepEqual(hostPageConfig(window_), {
+      annotations: '1234',
+      appType: 'bookmarklet',
+      openSidebar: true,
+      openLoginForm: true,
+      showHighlights: true,
+    });
+  });
+
+  it('ignores non-whitelisted config params', function () {
+    var window_ = fakeWindow({
+      apiUrl: 'https://not-the-hypothesis/api',
+    });
+
+    assert.deepEqual(hostPageConfig(window_), {});
+  });
+});