fix: postMessage to target origin in redirect page (#362)

embbnux · web-flow · commit 05d548bf8e9c · 2020-03-26T11:32:19.000+08:00
* fix: postMessage to target origin in redirect page

* referer is not work
diff --git a/docs/customize-redirect-uri.md b/docs/customize-redirect-uri.md
@@ -22,25 +22,27 @@ Or
 
 But in your redirect page, you need to add following code to pass callback params to this app.
 
-```js
+```html
 <script>
+  // the origin is used for postMessage
+  var origin = 'https://ringcentral.github.io';
   if (window.opener) {
     // For normal popup login window
     window.opener.postMessage({
       callbackUri: window.location.href,
-    }, '*');
+    }, origin);
   }
   if (window.parent && window.parent !== window) {
     if (window.name === 'SSOIframe') {
       // SSO login iframe
       window.parent.postMessage({
         callbackUri,
-      }, '*');
+      }, origin);
     } else {
       // For hidden token refresh iframe
       window.parent.postMessage({
         refreshCallbackUri: callbackUri,
-      }, '*');
+      },origin);
     }
   }
 </script>
diff --git a/src/lib/RedirectController.js b/src/lib/RedirectController.js
@@ -1,5 +1,14 @@
 import url from 'url';
 
+const origins = [
+  'https://ringcentral.github.io',
+  'https://apps.ringcentral.com',
+];
+
+if (origins.indexOf(window.location.origin) < 0) {
+  origins.push(window.location.origin);
+}
+
 export default class RedirectController {
   constructor({
     prefix,
@@ -20,9 +29,11 @@ export default class RedirectController {
 
       try {
         if (window.opener && window.opener.postMessage) {
-          window.opener.postMessage({
-            callbackUri
-          }, '*');
+          origins.forEach((origin) => {
+            window.opener.postMessage({
+              callbackUri
+            }, origin);
+          });
           window.close();
         }
       } catch (e) {
@@ -33,14 +44,18 @@ export default class RedirectController {
         if (window.parent && window.parent !== window) {
           if (window.name === 'SSOIframe') {
             // SSO iframe
-            window.parent.postMessage({
-              callbackUri,
-            }, '*');
+            origins.forEach((origin) => {
+              window.parent.postMessage({
+                callbackUri,
+              }, origin);
+            });
           } else {
             // Hidden refresh iframe
-            window.parent.postMessage({
-              refreshCallbackUri: callbackUri,
-            }, '*');
+            origins.forEach((origin) => {
+              window.parent.postMessage({
+                refreshCallbackUri: callbackUri,
+              }, origin);
+            });
           }
         }
       } catch (e) {
