Skip to content

fix(sec-86): harden iframe postMessage to trusted parent origins#189

Open
aris1009 wants to merge 1 commit intomainfrom
fix/sec-86-postmessage-origin-hardening
Open

fix(sec-86): harden iframe postMessage to trusted parent origins#189
aris1009 wants to merge 1 commit intomainfrom
fix/sec-86-postmessage-origin-hardening

Conversation

@aris1009
Copy link
Copy Markdown
Member

@aris1009 aris1009 commented Apr 17, 2026
edited
Loading

Summary

  • Replaces wildcard '*' postMessage target in the code-server iframe client with an explicit allowlist sourced from CS_ALLOWED_ORIGINS (SEC-86).
  • Guards the inbound message listener in client.ts by both parentEvent.source === parent (window identity) and an origin allowlist (SEC-87).
  • Fails closed: if the allowlist is empty, no outbound postMessage is sent and no inbound messages are processed.
  • Also fixes a latent bug where the outbound "event proxy" re-post used window.location.origin — iframe and parent live at different origins, so the browser was silently dropping those messages. Now targets the validated parentEvent.origin.

Mechanism

New quilt patch patches/harden-iframe-postmessage.diff:

  • lib/vscode/src/vs/base/common/product.ts — adds codeServerParentOrigins?: readonly string[] to IProductConfiguration.
  • lib/vscode/src/vs/server/node/webClientServer.ts — parses process.env.CS_ALLOWED_ORIGINS and injects into the workbench productConfiguration (mirrors the existing VSCODE_PROXY_URI env-var pattern a few lines above).
  • lib/vscode/src/vs/workbench/browser/client.ts — origin-guarded outbound + inbound messaging.

Linear

Fixes SEC-86
Fixes SEC-87

Test plan

  • quilt push -a applies the full stack cleanly (CI build-vscode.yaml gate).
  • Manual: code-server built with this patch, embedded in webapp with CS_ALLOWED_ORIGINS=https://app.dev.rudderlabs.com, verify:
    • loaded postMessage reaches the webapp iframe parent on startup.
    • Messages sent from a non-allowlisted origin (simulated via a second iframe) are ignored.
    • With CS_ALLOWED_ORIGINS empty, no outbound postMessage is fired and no inbound messages are processed.
  • Release flow: after release-please PR merges and a new ECR image is built, bump CodeServerImageName in rudder-devops to verify embedding still works in dev before closing SEC-86 / SEC-87.

@aris1009
fix(sec-86): harden iframe postMessage to trusted parent origins
15fd934 
Replaces wildcard '*' target with explicit trusted-origin list sourced from CS_ALLOWED_ORIGINS. Guards inbound message listener by source window identity and origin allowlist. Fails closed when no trusted origins are configured. Also addresses SEC-87.

🔒 Scanned for secrets using gitleaks 8.30.1
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 17, 2026

Docker Preview Images Ready

Preview Docker images have been built for this PR:

ECR (internal):

docker pull 422074288268.dkr.ecr.us-east-1.amazonaws.com/rudderstack/profiles-code-server:pr-189

Image Details:

  • Tag: pr-189
  • Platforms: linux/amd64, linux/arm64

Test the image:

docker run --rm -p 8080:8080 422074288268.dkr.ecr.us-east-1.amazonaws.com/rudderstack/profiles-code-server:pr-189

Note: These preview images will be overwritten on subsequent pushes to this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aris1009