OTSSigns/OTSSignsTheme
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Update login URL construction in layoutauth.html and restrict postMessage targetOrigin in layout-designer-page.twig

Browse Source
This commit is contained in:
Matt Batchelder
2026-04-07 19:37:39 -04:00
parent 9a9ec7661c
commit d1c69404bb
2 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ots-signs/layoutauth.html
View File

@@ -195,7 +195,7 @@
.catch(function () { .catch(function () {
// Not authenticated — send to the CMS login page, preserving the return URL // Not authenticated — send to the CMS login page, preserving the return URL
var returnUrl = encodeURIComponent(window.location.href); var returnUrl = encodeURIComponent(window.location.href);
var loginUrl = window.location.origin + "/" + slug + "/cms/login?redirect=" + returnUrl; var loginUrl = window.location.origin + cmsBase + "/login?redirect=" + returnUrl;
window.location.replace(loginUrl); window.location.replace(loginUrl);
}); });
})(); })();

5
ots-signs/views/layout-designer-page.twig
View File

@@ -576,8 +576,9 @@
? document.getElementById('layout-editor').getAttribute('data-layout-id') ? document.getElementById('layout-editor').getAttribute('data-layout-id')
: null; : null;
// TODO: For production, restrict targetOrigin to your app's domain // Restrict postMessage to the known React app origin.
var targetOrigin = '*'; // window.location.origin is the CMS origin; the parent app is on the same host.
var targetOrigin = window.location.origin;
/** /**
* Send a message to the parent window. * Send a message to the parent window.