toil(front): restrict host in pollman (#454)

## 📝 Description

restrict host in pollman

## ✅ Checklist
- [x] I have tested this change
- [x] ~This change requires documentation update~

Author: radwo

front/assets/js/pollman.js

@@ -165,14 +165,24 @@ export var Pollman = {
   },
 
   fetchAndReplace: function (node, callback) {
-    let url = Pollman.requestUrl(node);
+    let url;
+
+    try {
+      url = Pollman.requestUrl(node);
+    } catch (error) {
+      console.error('Invalid poll URL, removing element:', error);
+      // Remove the invalid polling element to prevent further attempts
+      $(node).remove();
+      return;
+    }
+
     if (this.urlInProgress(url)) {
       return;
     }
 
     let newFetch = this.rememberFetch(Date.now());
-
     this.startForUrl(url);
+
     fetch(url, { credentials: "same-origin" })
       .then(function (response) {
         if (response.status >= 200 && response.status < 300) {
@@ -230,15 +240,31 @@ export var Pollman = {
   },
 
   requestUrl: function (node) {
-    var queryParams = new URLSearchParams();
+    const pollHref = node.getAttribute("data-poll-href");
+
+    try {
+      const pollUrl = new URL(pollHref, window.location.origin);
 
-    Array.from(node.attributes).forEach(function (attribute) {
-      if (attribute.name.startsWith("data-poll-param-")) {
-        var name = attribute.name.substring("data-poll-param-".length);
-        queryParams.append(name, attribute.value);
+      // Only allow same origin (same protocol, host, and port)
+      if (pollUrl.origin !== window.location.origin) {
+        console.error(`Blocked data-poll-href to unauthorized host: ${pollUrl.origin}`);
+        throw new Error(`data-poll-href must be same-origin. Got: ${pollUrl.origin}, Expected: ${window.location.origin}`);
       }
-    });
 
-    return `${node.getAttribute("data-poll-href")}?${queryParams}`;
+      // Build query parameters from data-poll-param-* attributes (existing logic)
+      var queryParams = new URLSearchParams();
+      Array.from(node.attributes).forEach(function (attribute) {
+        if (attribute.name.startsWith("data-poll-param-")) {
+          var name = attribute.name.substring("data-poll-param-".length);
+          queryParams.append(name, attribute.value);
+        }
+      });
+
+      return `${pollUrl.href}?${queryParams}`;
+
+    } catch (error) {
+      console.error('Invalid data-poll-href URL:', pollHref, error);
+      throw new Error('Invalid or unauthorized data-poll-href URL');
+    }
   },
 };

front/assets/js/pollman.spec.js

@@ -1,13 +1,34 @@
 /**
  * @prettier
  */
-
 import { expect } from "chai";
 import { Pollman } from "./pollman";
 import sinon from "sinon";
 
 describe("Pollman", () => {
   describe("#requestUrl", () => {
+    beforeEach(() => {
+      // Mock window.location.origin for the host validation
+      global.window = {
+        location: {
+          origin: "https://example.com"
+        }
+      };
+      global.URL = class URL {
+        constructor(url, base) {
+          if (url.startsWith('/')) {
+            this.href = base + url;
+            this.origin = base;
+          } else {
+            this.href = url;
+            // Extract origin from full URL
+            const match = url.match(/^(https?:\/\/[^\/]+)/);
+            this.origin = match ? match[1] : base;
+          }
+        }
+      };
+    });
+
     it("returns the URL from where to fetch the updated HTML node", () => {
       let node_mock = {
         attributes: [
@@ -23,33 +44,62 @@ describe("Pollman", () => {
           return attribute.value;
         },
       };
+      expect(Pollman.requestUrl(node_mock)).to.equal(
+        "https://example.com/resources/get?page=1&color=green&state=passed"
+      );
+    });
+
+    it("throws error for external domain", () => {
+      let node_mock = {
+        attributes: [
+          { name: "data-poll-href", value: "https://malicious.com/script.js" },
+        ],
+        getAttribute: function (name) {
+          let attribute = this.attributes.find(
+            (attribute) => attribute.name === name
+          );
+          return attribute.value;
+        },
+      };
+      expect(() => Pollman.requestUrl(node_mock)).to.throw(
+        "Invalid or unauthorized data-poll-href URL"
+      );
+    });
 
+    it("allows same origin with full URL", () => {
+      let node_mock = {
+        attributes: [
+          { name: "data-poll-href", value: "https://example.com/api/poll" },
+          { name: "data-poll-param-id", value: "123" },
+        ],
+        getAttribute: function (name) {
+          let attribute = this.attributes.find(
+            (attribute) => attribute.name === name
+          );
+          return attribute.value;
+        },
+      };
       expect(Pollman.requestUrl(node_mock)).to.equal(
-        "/resources/get?page=1&color=green&state=passed"
+        "https://example.com/api/poll?id=123"
       );
     });
   });
 
   describe("#elementsToRefresh", () => {
     before(function () {
       Pollman.init({startLooper: false});
-
       document.body.innerHTML = `
         <div data-poll-background="" data-poll-href="/resources/1" data-poll-state="poll"></div>
         <div data-poll-href="/resources/2" data-poll-state="poll"></div>
       `;
     });
-
     afterEach(function () {
       if (Pollman.pageIsVisible && Pollman.pageIsVisible.restore)
         Pollman.pageIsVisible.restore();
     });
-
     it("returns correct elements for visible page", () => {
       sinon.stub(Pollman, "pageIsVisible").returns(true);
-
       let elements = Pollman.elementsToRefresh();
-
       expect(elements.length).to.equal(2);
       expect(elements[0].outerHTML).to.equal(
         `<div data-poll-background="" data-poll-href="/resources/1" data-poll-state="poll"></div>`
@@ -58,10 +108,8 @@ describe("Pollman", () => {
         `<div data-poll-href="/resources/2" data-poll-state="poll"></div>`
       );
     });
-
     it("returns correct elements for visible page when forced to", () => {
       sinon.stub(Pollman, "pageIsVisible").returns(true);
-
       let elements = Pollman.elementsToRefresh({ forceRefresh: true });
       expect(elements.length).to.equal(2);
       expect(elements[0].outerHTML).to.equal(
@@ -71,20 +119,16 @@ describe("Pollman", () => {
         `<div data-poll-href="/resources/2" data-poll-state="poll"></div>`
       );
     });
-
     it("returns correct elements for not active tab", () => {
       sinon.stub(Pollman, "pageIsVisible").returns(false);
-
       let elements = Pollman.elementsToRefresh();
       expect(elements.length).to.equal(1);
       expect(elements[0].outerHTML).to.equal(
         `<div data-poll-background="" data-poll-href="/resources/1" data-poll-state="poll"></div>`
       );
     });
-
     it("returns correct elements for not active tab when forced to ", () => {
       sinon.stub(Pollman, "pageIsVisible").returns(false);
-
       let elements = Pollman.elementsToRefresh({ forceRefresh: true });
       expect(elements.length).to.equal(2);
       expect(elements[0].outerHTML).to.equal(