how best to limit access to a new JS API
32 views
Skip to first unread message
Demetrios Tsillas
Jan 26, 2021, 2:03:50 PM1/26/21
to blink-dev
My derivative wants to add some new functions to an existing JS API. But I want to limit access to these functions to a specific domain (and perhaps the localhost).
I have access to the ScriptState when handling the new functions. Is there a way I can check the script origin to return some exception?
I have access to the ScriptState when handling the new functions. Is there a way I can check the script origin to return some exception?
What is the best practice for something like this?
thanks!!!
-Jim.
Jeremy Roman
Jan 26, 2021, 3:07:03 PM1/26/21
to Demetrios Tsillas, blink-dev
You can use ExecutionContext::From to find the execution context, and then use GetSecurityOrigin, which will give you the origin of the document or worker. (Assuming that's the origin you mean, not the script subresource that the function call exists in.)
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d7acbf05-c7fd-44c2-8833-aca71fc961b7n%40chromium.org.
Jeremy Roman
Jan 26, 2021, 3:08:11 PM1/26/21
to Demetrios Tsillas, blink-dev
In an ideal world this would be feature-detectable, i.e. you'd not expose the functions in contexts not allowed to call them, but that's more complicated (the origin trial code or MojoJS code would be starting points for that).
Reply all
Reply to author
Forward
0 new messages