From 2aa166ac199535a35291abb11c9e07632feadbfe Mon Sep 17 00:00:00 2001
From: Tankred Hase <tankred@whiteout.io>
Date: Thu, 23 Apr 2015 17:09:10 +0200
Subject: [PATCH] [WO-03-008] Fix no Origin Checks for postMessage
 Communication (High)

---
 src/js/controller/app/read-sandbox.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/js/controller/app/read-sandbox.js b/src/js/controller/app/read-sandbox.js
index 0b32ed3..593b2ab 100644
--- a/src/js/controller/app/read-sandbox.js
+++ b/src/js/controller/app/read-sandbox.js
@@ -12,6 +12,11 @@ DOMPurify.addHook('afterSanitizeAttributes', function(node) {
 window.onmessage = function(e) {
     var html = '';
 
+    // ignore messages from other origins to prevent XSS
+    if (e.origin !== location.origin) {
+        return;
+    }
+
     if (e.data.html) {
         // display html mail body
         html = e.data.html;