fix: Update login URL construction in layoutauth.html and restrict postMessage targetOrigin in layout-designer-page.twig

2026-04-07 19:37:39 -04:00
parent 9a9ec7661c
commit d1c69404bb
2 changed files with 4 additions and 3 deletions
--- a/ots-signs/layoutauth.html
+++ b/ots-signs/layoutauth.html
@@ -195,7 +195,7 @@
      .catch(function () {
        // Not authenticated — send to the CMS login page, preserving the return URL
        var returnUrl = encodeURIComponent(window.location.href);
-        var loginUrl = window.location.origin + "/" + slug + "/cms/login?redirect=" + returnUrl;
+        var loginUrl = window.location.origin + cmsBase + "/login?redirect=" + returnUrl;
        window.location.replace(loginUrl);
      });
    })();
--- a/ots-signs/views/layout-designer-page.twig
+++ b/ots-signs/views/layout-designer-page.twig
@@ -576,8 +576,9 @@
            ? document.getElementById('layout-editor').getAttribute('data-layout-id')
            : null;

-        // TODO: For production, restrict targetOrigin to your app's domain
-        var targetOrigin = '*';
+        // Restrict postMessage to the known React app origin.
+        // window.location.origin is the CMS origin; the parent app is on the same host.
+        var targetOrigin = window.location.origin;

        /**
         * Send a message to the parent window.