taler/wallet-core
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Activity

prevent embedding wallet pages in other web pages

Browse Source
This commit is contained in:
Florian Dold 2018-02-07 16:15:40 +01:00
parent 9b0cd71a4d
commit f1bef0473b
No known key found for this signature in database
GPG Key ID: D2E4F00F29D02A4B
10 changed files with 120 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
gulpfile.js
View File

@ -73,7 +73,7 @@ const paths = {
"emscripten/taler-emscripten-lib.js",
"img/icon.png",
"img/logo.png",
"src/**/*.{css,html}",
"src/**/*.{js,css,html}",
],
// for the source distribution
extra: [

2
manifest.json
View File

@ -50,7 +50,7 @@
],
"web_accessible_resources": [
"src/*"
"src/webex/pages/redirect.html"
],
"background": {

28
src/i18n/de.po
View File

@ -206,41 +206,41 @@ msgstr ""
msgid "%1$s being spent\n"
msgstr ""
#: src/webex/pages/popup.tsx:309
#: src/webex/pages/popup.tsx:310
#, c-format
msgid "Error: could not retrieve balance information."
msgstr ""
#: src/webex/pages/popup.tsx:336
#: src/webex/pages/popup.tsx:337
#, c-format
msgid "Payback"
msgstr ""
#: src/webex/pages/popup.tsx:337
#: src/webex/pages/popup.tsx:338
#, c-format
msgid "Return Electronic Cash to Bank Account"
msgstr ""
#: src/webex/pages/popup.tsx:338
#: src/webex/pages/popup.tsx:339
#, c-format
msgid "Manage Trusted Auditors and Exchanges"
msgstr ""
#: src/webex/pages/popup.tsx:350
#: src/webex/pages/popup.tsx:351
#, fuzzy, c-format
msgid ""
"Bank requested reserve (%1$s) for\n"
" %2$s.\n"
msgstr "Bank bestätig anlegen der Reserve (%1$s) bei %2$s"
#: src/webex/pages/popup.tsx:360
#: src/webex/pages/popup.tsx:361
#, fuzzy, c-format
msgid ""
"Started to withdraw\n"
" %1$s%2$sfrom%3$s(%4$s).\n"
msgstr "Reserve (%1$s) mit %2$s bei %3$s erzeugt"
#: src/webex/pages/popup.tsx:369
#: src/webex/pages/popup.tsx:370
#, fuzzy, c-format
msgid "Merchant%1$soffered%2$scontract%3$s.\n"
msgstr ""
@ -248,24 +248,24 @@ msgstr ""
" möchte einen Vertrag über %2$s\n"
" mit Ihnen abschließen."
#: src/webex/pages/popup.tsx:380
#: src/webex/pages/popup.tsx:381
#, fuzzy, c-format
msgid "Withdrew%1$sfrom%2$s(%3$s).\n"
msgstr "Reserve (%1$s) mit %2$s bei %3$s erzeugt"
#: src/webex/pages/popup.tsx:390
#: src/webex/pages/popup.tsx:391
#, fuzzy, c-format
msgid ""
"Paid%1$sto merchant%2$s.\n"
"%3$s(%4$s)\n"
msgstr "Reserve (%1$s) mit %2$s bei %3$s erzeugt"
#: src/webex/pages/popup.tsx:400
#: src/webex/pages/popup.tsx:401
#, c-format
msgid "Merchant%1$sgave a refund over%2$s.\n"
msgstr ""
#: src/webex/pages/popup.tsx:410
#: src/webex/pages/popup.tsx:411
#, fuzzy, c-format
msgid ""
"Merchant%1$sgave\n"
@ -276,17 +276,17 @@ msgstr ""
" möchte einen Vertrag über %2$s\n"
" mit Ihnen abschließen."
#: src/webex/pages/popup.tsx:420
#: src/webex/pages/popup.tsx:421
#, c-format
msgid "Unknown event (%1$s)"
msgstr ""
#: src/webex/pages/popup.tsx:463
#: src/webex/pages/popup.tsx:464
#, c-format
msgid "Error: could not retrieve event history"
msgstr ""
#: src/webex/pages/popup.tsx:488
#: src/webex/pages/popup.tsx:489
#, c-format
msgid "Your wallet has no events recorded."
msgstr "Ihre Geldbörse verzeichnet keine Vorkommnisse."

28
src/i18n/en-US.po
View File

@ -206,63 +206,63 @@ msgstr ""
msgid "%1$s being spent\n"
msgstr ""
#: src/webex/pages/popup.tsx:309
#: src/webex/pages/popup.tsx:310
#, c-format
msgid "Error: could not retrieve balance information."
msgstr ""
#: src/webex/pages/popup.tsx:336
#: src/webex/pages/popup.tsx:337
#, c-format
msgid "Payback"
msgstr ""
#: src/webex/pages/popup.tsx:337
#: src/webex/pages/popup.tsx:338
#, c-format
msgid "Return Electronic Cash to Bank Account"
msgstr ""
#: src/webex/pages/popup.tsx:338
#: src/webex/pages/popup.tsx:339
#, c-format
msgid "Manage Trusted Auditors and Exchanges"
msgstr ""
#: src/webex/pages/popup.tsx:350
#: src/webex/pages/popup.tsx:351
#, c-format
msgid ""
"Bank requested reserve (%1$s) for\n"
" %2$s.\n"
msgstr ""
#: src/webex/pages/popup.tsx:360
#: src/webex/pages/popup.tsx:361
#, c-format
msgid ""
"Started to withdraw\n"
" %1$s%2$sfrom%3$s(%4$s).\n"
msgstr ""
#: src/webex/pages/popup.tsx:369
#: src/webex/pages/popup.tsx:370
#, c-format
msgid "Merchant%1$soffered%2$scontract%3$s.\n"
msgstr ""
#: src/webex/pages/popup.tsx:380
#: src/webex/pages/popup.tsx:381
#, c-format
msgid "Withdrew%1$sfrom%2$s(%3$s).\n"
msgstr ""
#: src/webex/pages/popup.tsx:390
#: src/webex/pages/popup.tsx:391
#, c-format
msgid ""
"Paid%1$sto merchant%2$s.\n"
"%3$s(%4$s)\n"
msgstr ""
#: src/webex/pages/popup.tsx:400
#: src/webex/pages/popup.tsx:401
#, c-format
msgid "Merchant%1$sgave a refund over%2$s.\n"
msgstr ""
#: src/webex/pages/popup.tsx:410
#: src/webex/pages/popup.tsx:411
#, c-format
msgid ""
"Merchant%1$sgave\n"
@ -270,17 +270,17 @@ msgid ""
"%4$s%5$s"
msgstr ""
#: src/webex/pages/popup.tsx:420
#: src/webex/pages/popup.tsx:421
#, c-format
msgid "Unknown event (%1$s)"
msgstr ""
#: src/webex/pages/popup.tsx:463
#: src/webex/pages/popup.tsx:464
#, c-format
msgid "Error: could not retrieve event history"
msgstr ""
#: src/webex/pages/popup.tsx:488
#: src/webex/pages/popup.tsx:489
#, c-format
msgid "Your wallet has no events recorded."
msgstr ""

28
src/i18n/fr.po
View File

@ -206,63 +206,63 @@ msgstr ""
msgid "%1$s being spent\n"
msgstr ""
#: src/webex/pages/popup.tsx:309
#: src/webex/pages/popup.tsx:310
#, c-format
msgid "Error: could not retrieve balance information."
msgstr ""
#: src/webex/pages/popup.tsx:336
#: src/webex/pages/popup.tsx:337
#, c-format
msgid "Payback"
msgstr ""
#: src/webex/pages/popup.tsx:337
#: src/webex/pages/popup.tsx:338
#, c-format
msgid "Return Electronic Cash to Bank Account"
msgstr ""
#: src/webex/pages/popup.tsx:338
#: src/webex/pages/popup.tsx:339
#, c-format
msgid "Manage Trusted Auditors and Exchanges"
msgstr ""
#: src/webex/pages/popup.tsx:350
#: src/webex/pages/popup.tsx:351
#, c-format
msgid ""
"Bank requested reserve (%1$s) for\n"
" %2$s.\n"
msgstr ""
#: src/webex/pages/popup.tsx:360
#: src/webex/pages/popup.tsx:361
#, c-format
msgid ""
"Started to withdraw\n"
" %1$s%2$sfrom%3$s(%4$s).\n"
msgstr ""
#: src/webex/pages/popup.tsx:369
#: src/webex/pages/popup.tsx:370
#, c-format
msgid "Merchant%1$soffered%2$scontract%3$s.\n"
msgstr ""
#: src/webex/pages/popup.tsx:380
#: src/webex/pages/popup.tsx:381
#, c-format
msgid "Withdrew%1$sfrom%2$s(%3$s).\n"
msgstr ""
#: src/webex/pages/popup.tsx:390
#: src/webex/pages/popup.tsx:391
#, c-format
msgid ""
"Paid%1$sto merchant%2$s.\n"
"%3$s(%4$s)\n"
msgstr ""
#: src/webex/pages/popup.tsx:400
#: src/webex/pages/popup.tsx:401
#, c-format
msgid "Merchant%1$sgave a refund over%2$s.\n"
msgstr ""
#: src/webex/pages/popup.tsx:410
#: src/webex/pages/popup.tsx:411
#, c-format
msgid ""
"Merchant%1$sgave\n"
@ -270,17 +270,17 @@ msgid ""
"%4$s%5$s"
msgstr ""
#: src/webex/pages/popup.tsx:420
#: src/webex/pages/popup.tsx:421
#, c-format
msgid "Unknown event (%1$s)"
msgstr ""
#: src/webex/pages/popup.tsx:463
#: src/webex/pages/popup.tsx:464
#, c-format
msgid "Error: could not retrieve event history"
msgstr ""
#: src/webex/pages/popup.tsx:488
#: src/webex/pages/popup.tsx:489
#, c-format
msgid "Your wallet has no events recorded."
msgstr ""

28
src/i18n/it.po
View File

@ -206,63 +206,63 @@ msgstr ""
msgid "%1$s being spent\n"
msgstr ""
#: src/webex/pages/popup.tsx:309
#: src/webex/pages/popup.tsx:310
#, c-format
msgid "Error: could not retrieve balance information."
msgstr ""
#: src/webex/pages/popup.tsx:336
#: src/webex/pages/popup.tsx:337
#, c-format
msgid "Payback"
msgstr ""
#: src/webex/pages/popup.tsx:337
#: src/webex/pages/popup.tsx:338
#, c-format
msgid "Return Electronic Cash to Bank Account"
msgstr ""
#: src/webex/pages/popup.tsx:338
#: src/webex/pages/popup.tsx:339
#, c-format
msgid "Manage Trusted Auditors and Exchanges"
msgstr ""
#: src/webex/pages/popup.tsx:350
#: src/webex/pages/popup.tsx:351
#, c-format
msgid ""
"Bank requested reserve (%1$s) for\n"
" %2$s.\n"
msgstr ""
#: src/webex/pages/popup.tsx:360
#: src/webex/pages/popup.tsx:361
#, c-format
msgid ""
"Started to withdraw\n"
" %1$s%2$sfrom%3$s(%4$s).\n"
msgstr ""
#: src/webex/pages/popup.tsx:369
#: src/webex/pages/popup.tsx:370
#, c-format
msgid "Merchant%1$soffered%2$scontract%3$s.\n"
msgstr ""
#: src/webex/pages/popup.tsx:380
#: src/webex/pages/popup.tsx:381
#, c-format
msgid "Withdrew%1$sfrom%2$s(%3$s).\n"
msgstr ""
#: src/webex/pages/popup.tsx:390
#: src/webex/pages/popup.tsx:391
#, c-format
msgid ""
"Paid%1$sto merchant%2$s.\n"
"%3$s(%4$s)\n"
msgstr ""
#: src/webex/pages/popup.tsx:400
#: src/webex/pages/popup.tsx:401
#, c-format
msgid "Merchant%1$sgave a refund over%2$s.\n"
msgstr ""
#: src/webex/pages/popup.tsx:410
#: src/webex/pages/popup.tsx:411
#, c-format
msgid ""
"Merchant%1$sgave\n"
@ -270,17 +270,17 @@ msgid ""
"%4$s%5$s"
msgstr ""
#: src/webex/pages/popup.tsx:420
#: src/webex/pages/popup.tsx:421
#, c-format
msgid "Unknown event (%1$s)"
msgstr ""
#: src/webex/pages/popup.tsx:463
#: src/webex/pages/popup.tsx:464
#, c-format
msgid "Error: could not retrieve event history"
msgstr ""
#: src/webex/pages/popup.tsx:488
#: src/webex/pages/popup.tsx:489
#, c-format
msgid "Your wallet has no events recorded."
msgstr ""

28
src/i18n/taler-wallet-webex.pot
View File

@ -206,63 +206,63 @@ msgstr ""
msgid "%1$s being spent\n"
msgstr ""
#: src/webex/pages/popup.tsx:309
#: src/webex/pages/popup.tsx:310
#, c-format
msgid "Error: could not retrieve balance information."
msgstr ""
#: src/webex/pages/popup.tsx:336
#: src/webex/pages/popup.tsx:337
#, c-format
msgid "Payback"
msgstr ""
#: src/webex/pages/popup.tsx:337
#: src/webex/pages/popup.tsx:338
#, c-format
msgid "Return Electronic Cash to Bank Account"
msgstr ""
#: src/webex/pages/popup.tsx:338
#: src/webex/pages/popup.tsx:339
#, c-format
msgid "Manage Trusted Auditors and Exchanges"
msgstr ""
#: src/webex/pages/popup.tsx:350
#: src/webex/pages/popup.tsx:351
#, c-format
msgid ""
"Bank requested reserve (%1$s) for\n"
" %2$s.\n"
msgstr ""
#: src/webex/pages/popup.tsx:360
#: src/webex/pages/popup.tsx:361
#, c-format
msgid ""
"Started to withdraw\n"
" %1$s%2$sfrom%3$s(%4$s).\n"
msgstr ""
#: src/webex/pages/popup.tsx:369
#: src/webex/pages/popup.tsx:370
#, c-format
msgid "Merchant%1$soffered%2$scontract%3$s.\n"
msgstr ""
#: src/webex/pages/popup.tsx:380
#: src/webex/pages/popup.tsx:381
#, c-format
msgid "Withdrew%1$sfrom%2$s(%3$s).\n"
msgstr ""
#: src/webex/pages/popup.tsx:390
#: src/webex/pages/popup.tsx:391
#, c-format
msgid ""
"Paid%1$sto merchant%2$s.\n"
"%3$s(%4$s)\n"
msgstr ""
#: src/webex/pages/popup.tsx:400
#: src/webex/pages/popup.tsx:401
#, c-format
msgid "Merchant%1$sgave a refund over%2$s.\n"
msgstr ""
#: src/webex/pages/popup.tsx:410
#: src/webex/pages/popup.tsx:411
#, c-format
msgid ""
"Merchant%1$sgave\n"
@ -270,17 +270,17 @@ msgid ""
"%4$s%5$s"
msgstr ""
#: src/webex/pages/popup.tsx:420
#: src/webex/pages/popup.tsx:421
#, c-format
msgid "Unknown event (%1$s)"
msgstr ""
#: src/webex/pages/popup.tsx:463
#: src/webex/pages/popup.tsx:464
#, c-format
msgid "Error: could not retrieve event history"
msgstr ""
#: src/webex/pages/popup.tsx:488
#: src/webex/pages/popup.tsx:489
#, c-format
msgid "Your wallet has no events recorded."
msgstr ""

14
src/webex/pages/redirect.html Normal file
View File

@ -0,0 +1,14 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<script src="/src/webex/pages/redirect.js"></script>
</head>
<body>
Redirecting to extension page ...
</body>
</html>

12
src/webex/pages/redirect.js Normal file
View File

@ -0,0 +1,12 @@
/**
* This is the entry point for redirects, and should be the only
* web-accessible resource declared in the manifest. This prevents
* malicious websites from embedding wallet pages in them.
*
* We still need this redirect page since a webRequest can only directly
* redirect to pages inside the extension that are a web-accessible resource.
*/
const myUrl = new URL(window.location.href);
window.location.replace(myUrl.searchParams.get("url"));

37
src/webex/wxBackend.ts
View File

@ -449,6 +449,21 @@ async function talerPay(fields: any, url: string, tabId: number): Promise<string
}
function makeSyncWalletRedirect(url: string, params?: {[name: string]: string | undefined}): object {
const innerUrl = new URI(chrome.extension.getURL("/src/webex/pages/" + url));
if (params) {
for (const key in params) {
if (params[key]) {
innerUrl.addSearch(key, params[key]);
}
}
}
const outerUrl = new URI(chrome.extension.getURL("/src/webex/pages/redirect.html"));
outerUrl.addSearch("url", innerUrl);
return { redirectUrl: outerUrl.href() };
}
/**
* Handle a HTTP response that has the "402 Payment Required" status.
* In this callback we don't have access to the body, and must communicate via
@ -497,30 +512,22 @@ function handleHttpPayment(headerList: chrome.webRequest.HttpHeader[], url: stri
}
// Synchronous fast path for new contract
if (fields.contract_url) {
const uri = new URI(chrome.extension.getURL("/src/webex/pages/confirm-contract.html"));
uri.addSearch("contractUrl", fields.contract_url);
if (fields.session_id) {
uri.addSearch("sessionId", fields.session_id);
}
if (fields.resource_url) {
uri.addSearch("resourceUrl", fields.resource_url);
}
return { redirectUrl: uri.href() };
return makeSyncWalletRedirect("confirm-contract.html", {
contractUrl: fields.contract_url,
sessionId: fields.session_id,
resourceUrl: fields.resource_url,
});
}
// Synchronous fast path for tip
if (fields.tip) {
const uri = new URI(chrome.extension.getURL("/src/webex/pages/tip.html"));
uri.query({ tip_token: fields.tip });
return { redirectUrl: uri.href() };
return makeSyncWalletRedirect("tip.html", { tip_token: fields.tip });
}
// Synchronous fast path for refund
if (fields.refund_url) {
console.log("processing refund");
const uri = new URI(chrome.extension.getURL("/src/webex/pages/refund.html"));
uri.query({ refundUrl: fields.refund_url });
return { redirectUrl: uri.href() };
return makeSyncWalletRedirect("refund.html", { refundUrl: fields.refund_url });
}
// We need to do some asynchronous operation, we can't directly redirect