Fix origin validation to support Libby subdomain patterns

pdugan20 · pdugan20 · commit ed39da63f3d9 · 2026-01-23T09:52:06.000-08:00
Libby uses dynamic subdomains like dewey-abc123.listen.libbyapp.com
for content delivery. Update origin validation to use regex patterns
that match both exact domains and subdomains.

- Replace exact string matching with regex patterns
- Support subdomain patterns: *.listen.libbyapp.com, *.thunder.libbyapp.com
- Update both content script and shared validators
- Fixes "Rejected message from untrusted origin" errors
diff --git a/chrome-extension/content/content.js b/chrome-extension/content/content.js
@@ -51,16 +51,18 @@
   // VALIDATORS
   // ====================================
 
-  const VALID_ORIGINS = [
-    'https://listen.libbyapp.com',
-    'https://thunder.libbyapp.com',
+  // Valid origin patterns for Libby domains
+  // Supports both exact matches and subdomains (e.g., dewey-abc123.listen.libbyapp.com)
+  const VALID_ORIGIN_PATTERNS = [
+    /^https:\/\/([a-z0-9-]+\.)?listen\.libbyapp\.com$/,
+    /^https:\/\/([a-z0-9-]+\.)?thunder\.libbyapp\.com$/,
   ];
 
   function validateOrigin(origin) {
     if (origin === window.location.origin) {
       return true;
     }
-    return VALID_ORIGINS.some((validOrigin) => origin === validOrigin);
+    return VALID_ORIGIN_PATTERNS.some((pattern) => pattern.test(origin));
   }
 
   function validateBookData(bookData) {
diff --git a/chrome-extension/shared/validators.js b/chrome-extension/shared/validators.js
@@ -4,12 +4,13 @@
  */
 
 /**
- * Valid origins for postMessage communication
- * Only accept messages from Libby's iframe domain
+ * Valid origin patterns for postMessage communication
+ * Supports both exact matches and subdomains (e.g., dewey-abc123.listen.libbyapp.com)
+ * Only accept messages from Libby's iframe domains
  */
-const VALID_ORIGINS = [
-  'https://listen.libbyapp.com',
-  'https://thunder.libbyapp.com',
+const VALID_ORIGIN_PATTERNS = [
+  /^https:\/\/([a-z0-9-]+\.)?listen\.libbyapp\.com$/,
+  /^https:\/\/([a-z0-9-]+\.)?thunder\.libbyapp\.com$/,
 ];
 
 /**
@@ -23,8 +24,8 @@ export function validateOrigin(origin) {
     return true;
   }
 
-  // Check against whitelist
-  return VALID_ORIGINS.some((validOrigin) => origin === validOrigin);
+  // Check against pattern whitelist
+  return VALID_ORIGIN_PATTERNS.some((pattern) => pattern.test(origin));
 }
 
 /**
@@ -106,7 +107,7 @@ export function sanitizeFilename(filename) {
 export function validateLibbyUrl(url) {
   try {
     const urlObj = new URL(url);
-    return VALID_ORIGINS.some((origin) => urlObj.origin === origin);
+    return VALID_ORIGIN_PATTERNS.some((pattern) => pattern.test(urlObj.origin));
   } catch {
     return false;
   }
