Merge pull request #39 from livechat/fix/PP-10482

PP-10482 - secure post message with origin check + minor fixes

Block/System/Config/LiveChatForm.php

@@ -11,6 +11,7 @@ class LiveChatForm extends \Magento\Framework\View\Element\Template
 	const CHECK_TEMPLATE = 'system/config/livechat_form.phtml';
 
 	private $dataHelper;
+	private $urlinterface;
 
 	public function __construct(
 		\Magento\Framework\View\Element\Template\Context $context,

Controller/Adminhtml/GetProps/Index.php

@@ -10,6 +10,14 @@ class Index extends \Magento\Backend\App\Action
 	protected $configWriter;
 
 	private $cacheManagerFactory;
+	/**
+	 * @var Data
+	 */
+	private $dataHelper;
+	/**
+	 * @var \Magento\Framework\Controller\Result\JsonFactory
+	 */
+	private $resultJsonFactory;
 
 	public function __construct(
 		Context $context,

Controller/Adminhtml/ResetLicense/Index.php

@@ -7,6 +7,14 @@ class Index extends \Magento\Backend\App\Action
 {
 	protected $resultPageFactory;
 	protected $configWriter;
+	/**
+	 * @var \Magento\Framework\Controller\Result\JsonFactory
+	 */
+	private $resultJsonFactory;
+	/**
+	 * @var \Magento\Framework\App\Cache\ManagerFactory
+	 */
+	private $cacheManagerFactory;
 
 	public function __construct(
 		Context $context,

Controller/Adminhtml/SetLicense/Index.php

@@ -7,6 +7,14 @@ class Index extends \Magento\Backend\App\Action
 {
 	protected $resultPageFactory;
 	protected $configWriter;
+	/**
+	 * @var \Magento\Framework\Controller\Result\JsonFactory
+	 */
+	private $resultJsonFactory;
+	/**
+	 * @var \Magento\Framework\App\Cache\ManagerFactory
+	 */
+	private $cacheManagerFactory;
 
 	public function __construct(
 		Context $context,

Controller/Adminhtml/SetProps/Index.php

@@ -9,6 +9,10 @@ class Index extends \Magento\Backend\App\Action
 	protected $configWriter;
 
 	private $cacheManagerFactory;
+	/**
+	 * @var \Magento\Framework\Controller\Result\JsonFactory
+	 */
+	private $resultJsonFactory;
 
 	public function __construct(
 		Context $context,

composer.json

@@ -11,7 +11,7 @@
 		"magento/framework": "100.*|101.*|102.*|103.*"
 	},
 	"type": "magento2-module",
-	"version": "2.4.8",
+	"version": "2.4.9",
 	"license": [
 		"OSL-3.0",
 		"AFL-3.0"

view/adminhtml/templates/system/config/livechat_form.phtml

@@ -7,7 +7,7 @@
 		<div class="progress-button hidden">
 			Saving...
 		</div>
-		<div>				
+		<div>
 			<iframe id="login-with-livechat" src="https://addons.livechatinc.com/sign-in-with-livechat/magento2?popupRoute=signup&linkLabel=Connect&partner_id=magento2&utm_source=magento.com&utm_medium=integration&utm_campaign=magento_integration"> </iframe>
 		</div>
 		</div>

view/adminhtml/web/script.js

@@ -1,5 +1,6 @@
 require(['jquery'], function ($) {
-
+
+	var addonsOrigin = 'https://addons.livechatinc.com';
 	var save_props_url = $('#save-props-url').html();
 	var save_license_url = $('#save-license-url').html();
 	var reset_license_url = $('#reset-license-url').html();
@@ -57,23 +58,29 @@ require(['jquery'], function ($) {
 	});
 
 	var sendMessage = function (msg) {
-		login_with_livechat.contentWindow.postMessage(msg, '*');
+		login_with_livechat.contentWindow.postMessage(msg, addonsOrigin);
 	};
 
 	var logoutLiveChat = function () {
 		sendMessage('logout');
 	};
 
 	function receiveMessage(event) {
+		if (event.origin !== addonsOrigin) {
+			return;
+		}
+
+		var livechatMessage;
+
 		try {
-			var livechatMessage = JSON.parse(event.data);
+			livechatMessage = JSON.parse(event.data);
 		}
 		catch(err) {
+			console.log(err?.message);
 			console.log(JSON.stringify(err));
 		}
 
-		if (livechatMessage.type === 'logged-in' && livechatMessage.eventTrigger === 'click') {
-
+		if (livechatMessage?.type === 'logged-in' && livechatMessage?.eventTrigger === 'click') {
 			$('#login_panel').hide();
 			$('#admin_panel').show();
 			$('iframe#login-with-livechat').addClass('hidden');