Skip to content

Adds opt-in origin-hardening for cross-frame messages#4

Merged
sabieber merged 1 commit into
developfrom
feature/sbi/OX-12527
Jun 26, 2026
Merged

Adds opt-in origin-hardening for cross-frame messages#4
sabieber merged 1 commit into
developfrom
feature/sbi/OX-12527

Conversation

@sabieber

Copy link
Copy Markdown
Member

Until now buzz accepted messages from any origin and posted cross-frame messages with targetOrigin '*', so a foreign frame on the same page could inject or skim buzz traffic.

A new buzz.configure({allowedOrigins, targetOrigin}) sets a document-wide, opt-in trust boundary. When configured, the Connector listener and the uplink drop cross-frame messages from disallowed origins, and the uplink forwards to the parent using the given target origin. installDownlink additionally accepts per-call targetOrigin and allowedOrigins for a specific child frame.

The defaults are unchanged: with no configuration, messages from any origin are accepted and cross-frame posts still use '*', so existing integrations keep working. Same-window bus messages (event.source === window) are always accepted, as they never cross an origin boundary; only genuine cross-frame messages are filtered. A hard global whitelist is intentionally not enforced because buzz runs on arbitrary integrator domains.

Until now buzz accepted messages from any origin and posted cross-frame messages with targetOrigin '*', so a foreign frame on the same page could inject or skim buzz traffic.

A new buzz.configure({allowedOrigins, targetOrigin}) sets a document-wide, opt-in trust boundary. When configured, the Connector listener and the uplink drop cross-frame messages from disallowed origins, and the uplink forwards to the parent using the given target origin. installDownlink additionally accepts per-call targetOrigin and allowedOrigins for a specific child frame.

The defaults are unchanged: with no configuration, messages from any origin are accepted and cross-frame posts still use '*', so existing integrations keep working. Same-window bus messages (event.source === window) are always accepted, as they never cross an origin boundary; only genuine cross-frame messages are filtered. A hard global whitelist is intentionally not enforced because buzz runs on arbitrary integrator domains.

Assisted-by: Claude Opus 4.8
Fixes: OX-12527
@sabieber sabieber requested a review from Copilot June 25, 2026 14:21
@sabieber sabieber added the enhancement New feature or request label Jun 25, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an opt-in origin-hardening layer for BUZZ cross-frame messaging to mitigate foreign-frame injection/traffic skimming, while preserving backwards-compatible defaults (accept any origin; post with targetOrigin: '*') when not configured.

Changes:

  • Introduces a global buzz.configure({ allowedOrigins, targetOrigin }) and applies origin filtering to the Connector listener and uplink forwarding.
  • Extends buzz.installDownlink(...) to support per-child-frame allowedOrigins filtering and configurable targetOrigin for posts to the child frame.
  • Documents the new optional origin-hardening behavior and usage in README.md.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
README.md Documents the new optional origin-hardening configuration and clarifies default behavior.
buzz.js Implements global/per-downlink origin allowlisting and configurable targetOrigin for cross-frame posts/forwarding.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread buzz.js
@sabieber sabieber merged commit 1acdfd2 into develop Jun 26, 2026
1 check passed
@sabieber sabieber deleted the feature/sbi/OX-12527 branch June 26, 2026 06:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants