webview: check message source frame (#10202)

Mitigate https://bugs.eclipse.org/bugs/show_bug.cgi?id=575924

Author: paul-marechal

packages/plugin-ext/src/main/browser/webview/pre/host.js

@@ -25,19 +25,28 @@
     const hostMessaging = new class HostMessaging {
         constructor() {
             this.handlers = new Map();
-            window.addEventListener('message', (e) => {
-                if (e.data && (e.data.command === 'onmessage' || e.data.command === 'do-update-state')) {
+            window.addEventListener('message', e => {
+                let sourceIsChildFrame = false;
+                for (let i = 0; i < window.frames.length; i++) {
+                    const frame = window.frames[i];
+                    if (e.source === frame) {
+                        sourceIsChildFrame = true;
+                        break;
+                    }
+                }
+                if (sourceIsChildFrame && e.data && (e.data.command === 'onmessage' || e.data.command === 'do-update-state')) {
                     // Came from inner iframe
                     this.postMessage(e.data.command, e.data.data);
-                    return;
                 }
-
-                const channel = e.data.channel;
-                const handler = this.handlers.get(channel);
-                if (handler) {
-                    handler(e, e.data.args);
-                } else {
-                    console.error('no handler for ', e);
+                // Note: `window.parent === window` when there is no parent...
+                if (sourceIsChildFrame || e.source === window.parent) {
+                    const channel = e.data.channel;
+                    const handler = this.handlers.get(channel);
+                    if (handler) {
+                        handler(e, e.data.args);
+                    } else {
+                        console.error('no handler for ', e);
+                    }
                 }
             });
         }

packages/plugin-ext/src/main/browser/webview/pre/main.js

@@ -193,7 +193,6 @@
             initialScrollProgress: undefined
         };
 
-
         /**
          * @param {HTMLDocument?} document
          * @param {HTMLElement?} body