Openapi documentation generator crushed by window.postMessage
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Context
OpenApi preview is rendered in an iframe. The code inside of this iframe listens for a message posted from the parent page and takes a message's data as a spec to render.
The users reported us an issue about crushes of a preview. The investigation shown the cause: some browser extensions post messages on the iframe's window with their own data, and preview code does not validate received data and tries to render it.
To reproduce the issue
-
Install one of the browser extensions using messages. For example https://chromewebstore.google.com/detail/semrush-ai-writer-and-edi/dfajcklndiadlfmiabpohgpbcohchhop. No need to register or do anything else with it.
-
Visit a page with swagger documentation. For example, the one from gitlab's repository.
-
The preview shows error:
Proposed
We'd like to propose more strict validation of incoming data inside preview iframe.
-
On the sending side use unique key
sandboxEl.addEventListener('load', () => { - if (spec) sandboxEl.contentWindow.postMessage(JSON.stringify(spec), '*'); + if (spec) sandboxEl.contentWindow.postMessage({ openapiSpecString: JSON.stringify(spec) }, '*'); }); -
On the listening side check the presence of the unique key in the data.
const addInitHook = () => { window.addEventListener( 'message', (event) => { if (event.origin !== window.location.origin) { return; } - renderSwaggerUI(event.data); + if (isObject(event.data)) { + const { openapiSpecString } = event.data; + + if (typeof openapiSpecString === 'string') { + renderSwaggerUI(openapiSpecString); + } + } }, false, ); };