restrict post messages to origin if used

jagdeep sidhu · jagdeep sidhu · commit 2d1b1f96d657 · 2025-08-31T10:42:10.000-07:00
diff --git a/source/scripts/ContentScript/inject/BaseProvider.ts b/source/scripts/ContentScript/inject/BaseProvider.ts
@@ -328,7 +328,7 @@ export class BaseProvider extends EventEmitter {
           type,
           data,
         },
-        '*'
+        window.location.origin
       );
     });
 }
diff --git a/trezor-usb-permissions.js b/trezor-usb-permissions.js
@@ -19,11 +19,21 @@
       });
       setStatus('USB permission granted. You can close this tab/window.');
       try {
-        window.opener &&
+        if (window.opener) {
+          let openerOrigin = '*';
+          try {
+            if (document.referrer) {
+              let url = new URL(document.referrer);
+              openerOrigin = url.origin;
+            }
+          } catch (_) {
+            openerOrigin = '*';
+          }
           window.opener.postMessage(
             { type: 'trezor-usb-permission-granted' },
-            '*'
+            openerOrigin
           );
+        }
       } catch (_) {}
     } catch (e) {
       setStatus(e && e.message ? e.message : 'USB permission error', true);

Original file line number	Diff line number	Diff line change
`@@ -328,7 +328,7 @@ export class BaseProvider extends EventEmitter {`
`328`	`328`	`type,`
`329`	`329`	`data,`
`330`	`330`	`},`
`331`		`- '*'`
	`331`	`+ window.location.origin`
`332`	`332`	`);`
`333`	`333`	`});`
`334`	`334`	`}`