Skip to content

Pre release changes #134

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
NickPadilla merged 17 commits into from
Jan 28, 2026
Merged

Pre release changes #134

NickPadilla merged 17 commits into from
Jan 28, 2026

Conversation

@NickPadilla
Copy link
Contributor

@NickPadilla NickPadilla commented Jan 28, 2026

No description provided.

NickPadilla and others added 15 commits January 12, 2026 13:26
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 28, 2026
View reviewed changes
structures-frontend-next/src/pages/GraphQLPlayground.vue
Comment on lines +37 to +41
iframeRef.value.contentWindow.postMessage({
namespace,
token, // Will be set for OIDC, null for basic auth
sessionId // Will be set for both, used by basic auth
}, '*')

Check warning

Code scanning / CodeQL

Cross-window communication with unrestricted target origin Medium

Sensitive data
Loading
is sent to another window without origin restriction.
Sensitive data
Loading
is sent to another window without origin restriction.
Sensitive data
Loading
is sent to another window without origin restriction.

Copilot Autofix

AI 2 days ago

In general, the fix is to avoid postMessage(..., '*') when sending sensitive data. Instead, specify a concrete, trusted target origin (e.g., 'https://example.com' or window.location.origin) that matches the origin from which /graphiql.html is served. This ensures that even if a malicious page tries to embed the iframe or intercept the message, the browser will not deliver it unless the target’s origin matches the specified value.

For this specific file, we should:

  • Compute the correct target origin at runtime based on the current page’s origin, assuming /graphiql.html is served from the same origin.
  • Replace the '*' argument in postMessage with that origin.
  • Keep existing behavior otherwise unchanged (same data, same timing, same event listener).

Concretely, inside onMounted, before adding the load listener, we can define:

const targetOrigin = window.location.origin

Then update:

iframeRef.value.contentWindow.postMessage({ ... }, '*')

to:

iframeRef.value.contentWindow.postMessage({ ... }, targetOrigin)

This preserves existing functionality (the iframe is same-origin, so the message still arrives) while enforcing an origin restriction, satisfying CodeQL and improving security. No new imports or external libraries are required.

Suggested changeset 1
structures-frontend-next/src/pages/GraphQLPlayground.vue

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/structures-frontend-next/src/pages/GraphQLPlayground.vue b/structures-frontend-next/src/pages/GraphQLPlayground.vue
--- a/structures-frontend-next/src/pages/GraphQLPlayground.vue
+++ b/structures-frontend-next/src/pages/GraphQLPlayground.vue
@@ -22,7 +22,8 @@
 
 onMounted(() => {
   const namespace = getQueryParam('namespace') || 'default'
-  
+  const targetOrigin = window.location.origin
+
   // Determine auth method based on whether we have an OIDC user
   const isOidcAuth = USER_STATE.oidcUser !== null
   const token = isOidcAuth ? Cookies.get('token') : null
@@ -38,7 +39,7 @@
       namespace, 
       token,      // Will be set for OIDC, null for basic auth
       sessionId   // Will be set for both, used by basic auth
-    }, '*')
+    }, targetOrigin)
   })
 })
 </script>
EOF
@@ -22,7 +22,8 @@

onMounted(() => {
const namespace = getQueryParam('namespace') || 'default'

const targetOrigin = window.location.origin

// Determine auth method based on whether we have an OIDC user
const isOidcAuth = USER_STATE.oidcUser !== null
const token = isOidcAuth ? Cookies.get('token') : null
@@ -38,7 +39,7 @@
namespace,
token, // Will be set for OIDC, null for basic auth
sessionId // Will be set for both, used by basic auth
}, '*')
}, targetOrigin)
})
})
</script>
Copilot is powered by AI and may make mistakes. Always verify output.
structures-frontend-next/src/pages/OpenAPIPlayground.vue
Comment on lines +37 to +41
iframeRef.value.contentWindow.postMessage({
namespace,
token, // Will be set for OIDC, null for basic auth
sessionId // Will be set for both, used by basic auth
}, '*')

Check warning

Code scanning / CodeQL

Cross-window communication with unrestricted target origin Medium

Sensitive data
Loading
is sent to another window without origin restriction.
Sensitive data
Loading
is sent to another window without origin restriction.

Copilot Autofix

AI 2 days ago

In general, the fix is to restrict postMessage to a specific, trusted origin instead of using '*'. That way, even if the iframe or window is navigated to a malicious site, the browser will not deliver the sensitive message unless the recipient’s origin matches the expected value.

For this specific code, the least invasive change that preserves existing behavior is to replace the '*' target origin with window.location.origin, assuming /scalar-ui.html is served from the same origin as the parent app. This keeps communication working in the normal deployment (same-origin iframe) while preventing the message from being delivered if the iframe is ever navigated to another origin. We only need to modify the postMessage call inside the load event listener in OpenAPIPlayground.vue; no new imports or helper functions are required.

Concretely:

  • In structures-frontend-next/src/pages/OpenAPIPlayground.vue, update line 41 from }, '*') to }, window.location.origin).
  • Leave the rest of the logic (namespace, token, sessionId preparation and event handling) unchanged.
Suggested changeset 1
structures-frontend-next/src/pages/OpenAPIPlayground.vue

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/structures-frontend-next/src/pages/OpenAPIPlayground.vue b/structures-frontend-next/src/pages/OpenAPIPlayground.vue
--- a/structures-frontend-next/src/pages/OpenAPIPlayground.vue
+++ b/structures-frontend-next/src/pages/OpenAPIPlayground.vue
@@ -38,7 +38,7 @@
       namespace, 
       token,      // Will be set for OIDC, null for basic auth
       sessionId   // Will be set for both, used by basic auth
-    }, '*')
+    }, window.location.origin)
   })
 })
 </script>
EOF
@@ -38,7 +38,7 @@
namespace,
token, // Will be set for OIDC, null for basic auth
sessionId // Will be set for both, used by basic auth
}, '*')
}, window.location.origin)
})
})
</script>
Copilot is powered by AI and may make mistakes. Always verify output.
@NickPadilla NickPadilla merged commit 1e2a947 into develop Jan 28, 2026
2 of 4 checks passed
@NavidMitchell NavidMitchell deleted the preRelease branch January 30, 2026 00:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@NickPadilla @NavidMitchell