From d1c69404bbc9656d56d45c0b4d52032b62a08324 Mon Sep 17 00:00:00 2001
From: Matt Batchelder <matt@buzzbee.dev>
Date: Tue, 7 Apr 2026 19:37:39 -0400
Subject: [PATCH] fix: Update login URL construction in layoutauth.html and
 restrict postMessage targetOrigin in layout-designer-page.twig

---
 ots-signs/layoutauth.html                 | 2 +-
 ots-signs/views/layout-designer-page.twig | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/ots-signs/layoutauth.html b/ots-signs/layoutauth.html
index 9884e5d..2cbebec 100644
--- a/ots-signs/layoutauth.html
+++ b/ots-signs/layoutauth.html
@@ -195,7 +195,7 @@
       .catch(function () {
         // Not authenticated — send to the CMS login page, preserving the return URL
         var returnUrl = encodeURIComponent(window.location.href);
-        var loginUrl = window.location.origin + "/" + slug + "/cms/login?redirect=" + returnUrl;
+        var loginUrl = window.location.origin + cmsBase + "/login?redirect=" + returnUrl;
         window.location.replace(loginUrl);
       });
     })();
diff --git a/ots-signs/views/layout-designer-page.twig b/ots-signs/views/layout-designer-page.twig
index 28d03cc..971e812 100644
--- a/ots-signs/views/layout-designer-page.twig
+++ b/ots-signs/views/layout-designer-page.twig
@@ -576,8 +576,9 @@
             ? document.getElementById('layout-editor').getAttribute('data-layout-id')
             : null;
 
-        // TODO: For production, restrict targetOrigin to your app's domain
-        var targetOrigin = '*';
+        // Restrict postMessage to the known React app origin.
+        // window.location.origin is the CMS origin; the parent app is on the same host.
+        var targetOrigin = window.location.origin;
 
         /**
          * Send a message to the parent window.