Merge pull request #1634 from keepassxreboot/fix/prevent_cross_origin_requests

Prevent Cross-Origin requests to KeePassXC
author: Sami Vänttinen <sami.vanttinen@protonmail.com> 2022-05-29 15:58:26 +0300
committer: GitHub <noreply@github.com> 2022-05-29 15:58:26 +0300
commit: 9af37d688aafa0df3eadebbe66b79c9791878275 (patch)
tree: 03be4f527a83b6f06b5cd8a681caab4088b23230
parent: c83ddaaedf0b40e0f3226353b548ac8cbb8a05c7 (diff)
parent: 961b7ecbf544c7b8d30e0f9dd662c2e88c08af34 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/keepassxc-browser/content/keepassxc-browser.js b/keepassxc-browser/content/keepassxc-browser.js
index 97cd6f0..b93dd0a 100755
--- a/keepassxc-browser/content/keepassxc-browser.js
+++ b/keepassxc-browser/content/keepassxc-browser.js
@@ -588,6 +588,14 @@ kpxc.retrieveCredentialsCallback = async function(credentials) {
 // If credentials are not received, request them again
 kpxc.receiveCredentialsIfNecessary = async function() {
     if (kpxc.credentials.length === 0 && !_called.retrieveCredentials) {
+        // Check for Cross-domain security error when inspecting window.top.location.href. We should ignore these requests.
+        try {
+            const currentLocation = window.top.location.href;
+        } catch (err) {
+            logDebug('Error: Credential request ignored from another domain: ', window.self.location.host);
+            return [];
+        }
+
         if (!kpxc.url) {
             kpxc.url = document.location.href;
         }
author	Sami Vänttinen <sami.vanttinen@protonmail.com>	2022-05-29 15:58:26 +0300
committer	GitHub <noreply@github.com>	2022-05-29 15:58:26 +0300
commit	9af37d688aafa0df3eadebbe66b79c9791878275 (patch)
tree	03be4f527a83b6f06b5cd8a681caab4088b23230
parent	c83ddaaedf0b40e0f3226353b548ac8cbb8a05c7 (diff)
parent	961b7ecbf544c7b8d30e0f9dd662c2e88c08af34 (diff)