-
Notifications
You must be signed in to change notification settings - Fork 0
/
Cross-Orig-Comm-w-localStorage-Integration.js
71 lines (55 loc) · 4.33 KB
/
Cross-Orig-Comm-w-localStorage-Integration.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
Info: Secure Cross-Origin Communication Script with localStorage Integration
Prereq. knowledge: In JavaScript, everything is an Object under the hood. And typically objects have properties and methods associated with them. What this attack technique allows us to do is to alter the properties of Objects by tampering with their Prototypes.
Defined: Prototype
Lets look at this IIFE example of JS:
(function(){var hls,ls,s="string";try{hls=!!window.localStorage;ls=localStorage}catch(e){hls=false;}
function hd(e){
var d;try{d=JSON.parse(e.data);}catch(e){return;}if((typeof d.key!=s)||(d.key.indexOf("DV_IFRAME_MSG")!=0)){return;}
if('get'in d&&typeof d.get==s){
if(hls){sm(d.key,ls.getItem(d.get),ls.getItem(d.get+'__')||0)}else{sm(d.key,null,0)}}
if('set'in d&&'key'in d.set&&'value'in d.set&&typeof d.set.key==s&&typeof d.set.value==s){
if(hls){ls.setItem(d.set.key,d.set.value);ls.setItem(d.set.key+'__',new Date().getTime())
if(d.set.keepFresh){setInterval(function(){ls.setItem(d.set.key+'__',new Date().getTime())},5000);}}}}
function sm(k,v,s){window.parent.postMessage(JSON.stringify({key:k,value:v,time:s}),'*')}
function on(tg,tp,h,c){c=!!c;if(tg.addEventListener){tg.addEventListener(tp,h,c);}
else{tg.attachEvent("on"+tp,function(e){return h.call(tg,e);},c);}}on(window,"message",hd,false);})();
Facts aout this block:
* self-executing
* anonymous function (also known as an Immediately Invoked Function Expression or IIFE)
* JavaScript
* aims to facilitate communication between an iframe and its parent window using the postMessage API
Let's break down the code:
(function(){ ... })(); - This is the IIFE syntax,
which encapsulates the entire code block within a function and immediately invokes it.
This pattern is commonly used to create private scopes and avoid polluting the global namespace
var hls,ls,s="string"; - Three variables hls, ls, and s are declared.
hls is used to check if the browser supports localStorage
ls represents the localStorage object
s is assigned the string value "string"
try { ... } catch(e) { ... }:
try-catch statement used to handle exceptions.
It attempts to execute the code within the try block
if an exception occurs, it is caught and handled within the
catch block.
In this case, it checks if localStorage is supported by the browser
and assigns its value to hls. If an exception occurs (e.g., due to
browser security restrictions), hls is set to false.
function hd(e) { ... }: This function (hd) is defined to handle incoming messages
from the parent window. It first attempts to parse the incoming message
(e.data) as JSON. If parsing is successful and the parsed object has
a key property starting with "DV_IFRAME_MSG", it proceeds to handle
the message. Depending on the content of the message, it may
retrieve or set data in the localStorage. Finally, it sends a
message back to the parent window with the retrieved or updated data.
function sm(k, v, s) { ... }: This function (sm) is defined to send messages to
the parent window. It constructs a JSON object containing
a key-value pair and a timestamp, then sends this object
to the parent window using postMessage.
function on(tg, tp, h, c) { ... }: This function (on) is defined to add event listeners
to DOM elements. It checks if the browser supports
addEventListener and uses it if available; otherwise,
it falls back to attachEvent (for older versions of
Internet Explorer). This function is used to attach
the message event listener to the window object.
on(window, "message", hd, false);: This line adds an event listener for the message event on the window object, with the hd function as the event handler.
Overall, this code is used to facilitate secure communication between an iframe and its parent window by leveraging the postMessage API and localStorage for data storage. It's likely part of a larger web application that requires cross-origin communication or data sharing between different parts of the application.