Adds opt-in origin-hardening for cross-frame messages#4
Merged
Conversation
Until now buzz accepted messages from any origin and posted cross-frame messages with targetOrigin '*', so a foreign frame on the same page could inject or skim buzz traffic.
A new buzz.configure({allowedOrigins, targetOrigin}) sets a document-wide, opt-in trust boundary. When configured, the Connector listener and the uplink drop cross-frame messages from disallowed origins, and the uplink forwards to the parent using the given target origin. installDownlink additionally accepts per-call targetOrigin and allowedOrigins for a specific child frame.
The defaults are unchanged: with no configuration, messages from any origin are accepted and cross-frame posts still use '*', so existing integrations keep working. Same-window bus messages (event.source === window) are always accepted, as they never cross an origin boundary; only genuine cross-frame messages are filtered. A hard global whitelist is intentionally not enforced because buzz runs on arbitrary integrator domains.
Assisted-by: Claude Opus 4.8
Fixes: OX-12527
There was a problem hiding this comment.
Pull request overview
Adds an opt-in origin-hardening layer for BUZZ cross-frame messaging to mitigate foreign-frame injection/traffic skimming, while preserving backwards-compatible defaults (accept any origin; post with targetOrigin: '*') when not configured.
Changes:
- Introduces a global
buzz.configure({ allowedOrigins, targetOrigin })and applies origin filtering to the Connector listener and uplink forwarding. - Extends
buzz.installDownlink(...)to support per-child-frameallowedOriginsfiltering and configurabletargetOriginfor posts to the child frame. - Documents the new optional origin-hardening behavior and usage in
README.md.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| README.md | Documents the new optional origin-hardening configuration and clarifies default behavior. |
| buzz.js | Implements global/per-downlink origin allowlisting and configurable targetOrigin for cross-frame posts/forwarding. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
idlira
approved these changes
Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Until now buzz accepted messages from any origin and posted cross-frame messages with targetOrigin '*', so a foreign frame on the same page could inject or skim buzz traffic.
A new buzz.configure({allowedOrigins, targetOrigin}) sets a document-wide, opt-in trust boundary. When configured, the Connector listener and the uplink drop cross-frame messages from disallowed origins, and the uplink forwards to the parent using the given target origin. installDownlink additionally accepts per-call targetOrigin and allowedOrigins for a specific child frame.
The defaults are unchanged: with no configuration, messages from any origin are accepted and cross-frame posts still use '*', so existing integrations keep working. Same-window bus messages (event.source === window) are always accepted, as they never cross an origin boundary; only genuine cross-frame messages are filtered. A hard global whitelist is intentionally not enforced because buzz runs on arbitrary integrator domains.