commit a99315ec53fe03a1c776e395f1ce11d6e0f5ca7e
author Akron <nils@diewald-online.de> Tue Jul 03 22:56:45 2018 +0200
committer Akron <nils@diewald-online.de> Thu Jul 19 12:11:33 2018 +0200
tree 456496f0e9d1cf29c56ff8d17710452605680d98
parent a6c32b9e8608fdf8f3ded041f0fc1b7639e8ed1a

Stop suspicious widgets

Change-Id: Ie82a211a3774609ecf8612a85f0b8dd7457f231e

dev/js/src/plugin/client.js

diff --git a/dev/js/src/plugin/client.js b/dev/js/src/plugin/client.js
index 6918da4..1c2af18 100644
--- a/dev/js/src/plugin/client.js
+++ b/dev/js/src/plugin/client.js
@@ -18,6 +18,11 @@
 *   add a unique ID to the message and will call on the cb
 *   once the answer to that message arrives.
 */
+/*
+ * When loading the script from a remote KorAP instance,
+ * demand using integrity check:
+ * https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
+ */
 
 var cs = document.currentScript;
 

dev/js/src/plugin/server.js

diff --git a/dev/js/src/plugin/server.js b/dev/js/src/plugin/server.js
index db59422..d26de27 100644
--- a/dev/js/src/plugin/server.js
+++ b/dev/js/src/plugin/server.js
@@ -16,7 +16,8 @@
   //   to hundred. For every message, this will be decreased
   //   (down to 0), for every second this will be increased
   //   (up to 100).
-  var c = 100;
+  var maxMessages = 100;
+  var limits = {};
 
   // Contains all widgets to address with
   // messages to them
@@ -41,6 +42,15 @@
       window.addEventListener("message", function (e) {
         that._receiveMsg(e);
       });
+
+      // Every second increase the limits of all registered widgets
+      var myTimer = setInterval(function () {
+        for (var i in limits) {
+          if (limits[i]++ >= maxMessages) {
+            limits[i] = maxMessages;
+          }
+        }
+      }, 1000);
       return this;
     },
 
@@ -57,6 +67,7 @@
 
       // Store the widget based on the identifier
       widgets[id] = widget;
+      limits[id] = maxMessages;
 
       // Open widget in frontend
       element.appendChild(
@@ -69,18 +80,37 @@
       // Get event data
       var d = e.data;
 
-      // e.origin is probably set and okay
+      // If no data given - fail
+      // (probably check that it's an assoc array)
+      if (!d)
+        return;
+
+      // e.origin is probably set and okay - CHECK!
 
       // TODO:
       //   Deal with mad iframes
 
+      // Get origin ID
+      var id = d["originID"];
+
+      // If no origin ID given - fail
+      if (!id)
+        return;
+
       // Get the widget
-      var widget = widgets[d["originID"]];
+      var widget = widgets[id];
 
       // If the addressed widget does not exist - fail
       if (!widget)
         return;
 
+      // Check for message limits
+      if (limits[id]-- < 0) {
+        widget.shutdown();
+        delete limits[id];
+        delete widgets[id];
+        return;
+      };
 
       // Resize the iframe
       if (d.action === 'resize') {

dev/js/src/plugin/widget.js

diff --git a/dev/js/src/plugin/widget.js b/dev/js/src/plugin/widget.js
index 4c2f09c..cb4a33d 100644
--- a/dev/js/src/plugin/widget.js
+++ b/dev/js/src/plugin/widget.js
@@ -49,6 +49,12 @@
     // Resize iframe
     resize : function (data) {
       this._element.style.height = data.height + 'px';
+    },
+
+    // Shutdown suspicious iframe
+    shutdown : function () {
+      KorAP.log(0, 'Suspicious action from ' + this.src);
+      this._element.parentNode.removeChild(this._element);
     }
   }
 });