Development (#229)

* address security issues
* update dependencies

Author: Acktarius

package-lock.json

@@ -12,9 +12,9 @@
   },
   "main": "index.js",
   "dependencies": {
-    "@babel/helper-validator-identifier": "^7.24.6",
+    "@babel/helper-validator-identifier": "^7.27.1",
     "@types/node": "^24.0.14",
-    "dotenv": "^17.2.0",
+    "dotenv": "^17.2.1",
 
     "typescript": "^5.8.3",
     "workbox-build": "^7.3.0"

package.json

@@ -2,7 +2,7 @@
  * Copyright (c) 2018 Gnock
  * Copyright (c) 2018-2019 The Masari Project
  * Copyright (c) 2018-2020 The Karbo developers
- * Copyright (c) 2018-2023 Conceal Community, Conceal.Network & Conceal Devs
+ * Copyright (c) 2018-2025 Conceal Community, Conceal.Network & Conceal Devs
  *
  * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
  *
@@ -17,15 +17,38 @@
 
 import {WalletRepository} from "./model/WalletRepository";
 
+// List of allowed parent origins
+const ALLOWED_ORIGINS = [
+	'http://localhost:3000',
+	'https://wallet.conceal.network',
+	'https://wws.conceal.network'
+];
+
 function sendMessageToParent(type : string, data : any){
-	window.parent.postMessage({
-		type:type,
-		payload:data
-	}, '*');
+	// Get the parent origin from referrer or use the production URL as fallback
+	const parentOrigin = document.referrer ? 
+		new URL(document.referrer).origin : 
+		ALLOWED_ORIGINS[1]; // wallet.conceal.network
+	
+	// Only send message if the origin is in our allowed list
+	if (ALLOWED_ORIGINS.includes(parentOrigin)) {
+		window.parent.postMessage({
+			type: type,
+			payload: data
+		}, parentOrigin);
+	} else {
+		console.warn('Attempted to send message to non-allowed origin:', parentOrigin);
+	}
 }
 
 window.addEventListener('message', function(e : MessageEvent){
-	//console.log(e);
+	// Verify the origin of the message for security
+	if (!ALLOWED_ORIGINS.includes(e.origin)) {
+		console.warn('Received message from non-allowed origin:', e.origin);
+		return;
+	}
+	
+	// Process the message only if it comes from an allowed origin
 	if(e.data == 'hasWallet'){
 		sendMessageToParent('hasWallet', WalletRepository.hasOneStored());
 	}

src/api.ts

@@ -2,7 +2,7 @@
  * Copyright (c) 2018 Gnock
  * Copyright (c) 2018-2019 The Masari Project
  * Copyright (c) 2018-2020 The Karbo developers
- * Copyright (c) 2018-2023 Conceal Community, Conceal.Network & Conceal Devs
+ * Copyright (c) 2018-2025 Conceal Community, Conceal.Network & Conceal Devs
  *
  * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
  *
@@ -23,7 +23,20 @@ __WB_MANIFEST: any[];
 
 workbox.precaching.precacheAndRoute(self.__WB_MANIFEST);
 
+// List of allowed origins for cross-origin security
+const ALLOWED_ORIGINS = [
+	'http://localhost:3000',
+	'https://wallet.conceal.network',
+	'https://wws.conceal.network'
+];
+
 self.addEventListener('message', (event) => {
+	// Verify the origin of the message for security
+	if (!ALLOWED_ORIGINS.includes(event.origin)) {
+		console.warn('Service worker received message from non-allowed origin:', event.origin);
+		return;
+	}
+	
 	if (!event.data){
 		return;
 	}