diff options
author | Sami Vänttinen <sami.vanttinen@protonmail.com> | 2022-05-29 15:58:26 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-05-29 15:58:26 +0300 |
commit | 9af37d688aafa0df3eadebbe66b79c9791878275 (patch) | |
tree | 03be4f527a83b6f06b5cd8a681caab4088b23230 | |
parent | c83ddaaedf0b40e0f3226353b548ac8cbb8a05c7 (diff) | |
parent | 961b7ecbf544c7b8d30e0f9dd662c2e88c08af34 (diff) |
Merge pull request #1634 from keepassxreboot/fix/prevent_cross_origin_requests
Prevent Cross-Origin requests to KeePassXC
-rwxr-xr-x | keepassxc-browser/content/keepassxc-browser.js | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/keepassxc-browser/content/keepassxc-browser.js b/keepassxc-browser/content/keepassxc-browser.js index 97cd6f0..b93dd0a 100755 --- a/keepassxc-browser/content/keepassxc-browser.js +++ b/keepassxc-browser/content/keepassxc-browser.js @@ -588,6 +588,14 @@ kpxc.retrieveCredentialsCallback = async function(credentials) { // If credentials are not received, request them again kpxc.receiveCredentialsIfNecessary = async function() { if (kpxc.credentials.length === 0 && !_called.retrieveCredentials) { + // Check for Cross-domain security error when inspecting window.top.location.href. We should ignore these requests. + try { + const currentLocation = window.top.location.href; + } catch (err) { + logDebug('Error: Credential request ignored from another domain: ', window.self.location.host); + return []; + } + if (!kpxc.url) { kpxc.url = document.location.href; } |