Skip to content

fix(admin): add postMessage origin validation to liveControls.ts#208

Open
0xcucumbersalad wants to merge 1 commit into
mainfrom
fix/postmessage-origin-validation
Open

fix(admin): add postMessage origin validation to liveControls.ts#208
0xcucumbersalad wants to merge 1 commit into
mainfrom
fix/postmessage-origin-validation

Conversation

@0xcucumbersalad

@0xcucumbersalad 0xcucumbersalad commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds TRUSTED_ORIGINS allowlist and isTrustedOrigin() check to src/admin/liveControls.ts, matching the existing fix in LiveControls.tsx
  • Without this check, any page that iframes the storefront can execute arbitrary JavaScript via postMessage — a framework-level XSS
  • Accepts explicit deco.cx origins, any *.deco.cx subdomain, and same-origin messages

Test plan

  • bun run test — 46 files, 687 tests passed
  • Verify admin preview still works when storefront is embedded in admin iframe
  • Verify messages from untrusted origins are rejected (no script injection)

🤖 Generated with Claude Code


Summary by cubic

Adds origin validation to the admin live controls postMessage handler to block untrusted iframes and prevent script injection when the storefront is embedded. Aligns src/admin/liveControls.ts with LiveControls.tsx by allowing only deco.cx origins and same-origin messages.

  • Bug Fixes
    • Add TRUSTED_ORIGINS and isTrustedOrigin(); ignore messages when event.origin is not trusted.
    • Trusted: https://deco.cx, https://admin.deco.cx, https://play.deco.cx, any *.deco.cx subdomain, and same-origin.

Written for commit 3adb2db. Summary will update on new commits.

Review in cubic

Align liveControls.ts with LiveControls.tsx by adding TRUSTED_ORIGINS
allowlist and isTrustedOrigin() check. Without this, any page that
iframes the storefront can execute arbitrary JS via postMessage.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@0xcucumbersalad 0xcucumbersalad requested a review from a team June 1, 2026 14:01

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Re-trigger cubic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants