From PR #575 review feedback.
Problem
The postMessage handler for typo3:linkBrowser:close doesn't validate the message origin, which could theoretically allow cross-origin message injection.
Current State
- Handler only fires for actionType
typo3:linkBrowser:close
- Link value is validated against TYPO3's allowed link types
- The attack surface is limited since the handler only processes link selections
Proposed Solution
Add origin checking by:
- Storing the expected origin when opening the link browser modal
- Validating
event.origin matches before processing the message
Challenge
Adding origin checking requires knowing the TYPO3 backend URL at runtime, which may vary in different deployment scenarios.
Priority
Low - Defense-in-depth improvement, not a critical security issue.
File
Resources/Public/JavaScript/Plugins/typo3image.js
From PR #575 review feedback.
Problem
The postMessage handler for
typo3:linkBrowser:closedoesn't validate the message origin, which could theoretically allow cross-origin message injection.Current State
typo3:linkBrowser:closeProposed Solution
Add origin checking by:
event.originmatches before processing the messageChallenge
Adding origin checking requires knowing the TYPO3 backend URL at runtime, which may vary in different deployment scenarios.
Priority
Low - Defense-in-depth improvement, not a critical security issue.
File
Resources/Public/JavaScript/Plugins/typo3image.js