From 7e789e6e777559c50b57b53764e0d01c9b301739 Mon Sep 17 00:00:00 2001 From: zubiden <19638254+zubiden@users.noreply.github.com> Date: Fri, 17 Apr 2026 13:38:10 +0200 Subject: [PATCH] General: Better validation for iframe event origins (#6856) --- src/components/main/GameModal.tsx | 10 ++++++++-- .../modals/webApp/hooks/useWebAppFrame.ts | 5 ++--- src/components/payment/ConfirmPayment.tsx | 14 ++++++++++---- src/util/browser/iframe.ts | 3 +++ 4 files changed, 23 insertions(+), 9 deletions(-) create mode 100644 src/util/browser/iframe.ts diff --git a/src/components/main/GameModal.tsx b/src/components/main/GameModal.tsx index b8b7fa551..a4484e3ea 100644 --- a/src/components/main/GameModal.tsx +++ b/src/components/main/GameModal.tsx @@ -1,12 +1,13 @@ import type { FC } from '../../lib/teact/teact'; import type React from '../../lib/teact/teact'; -import { memo, useCallback, useEffect } from '../../lib/teact/teact'; +import { memo, useCallback, useEffect, useRef } from '../../lib/teact/teact'; import { getActions, withGlobal } from '../../global'; import type { TabState } from '../../global/types'; import { getCanPostInChat } from '../../global/helpers'; import { selectChat, selectChatFullInfo } from '../../global/selectors'; +import { isMessageFromIframe } from '../../util/browser/iframe'; import useInterval from '../../hooks/schedulers/useInterval'; import useOldLang from '../../hooks/useOldLang'; @@ -34,6 +35,7 @@ const GameModal: FC = ({ openedGame, gameTitle, canPost } const lang = useOldLang(); const { url, chatId, messageId } = openedGame || {}; const isOpen = Boolean(url); + const frameRef = useRef(); const sendMessageAction = useSendMessageAction(chatId); useInterval(() => { @@ -41,7 +43,10 @@ const GameModal: FC = ({ openedGame, gameTitle, canPost } }, isOpen && canPost ? PLAY_GAME_ACTION_INTERVAL : undefined); const handleMessage = useCallback((event: MessageEvent) => { - if (!chatId || !messageId) return; + if (!chatId || !messageId || !isMessageFromIframe(event, frameRef.current)) { + return; + } + try { const data = JSON.parse(event.data) as GameEvents; if (data.eventType === 'share_score') { @@ -77,6 +82,7 @@ const GameModal: FC = ({ openedGame, gameTitle, canPost } > {isOpen && (