From: Rohan Sharma <i.am.lone.survivor@protonmail.com>
Date: Tue, 1 Feb 2022 16:34:48 +0000 (+0530)
Subject: Fixed prototype pollution bug and only allow trusted origin (#17420)
X-Git-Url: https://git.xn--scling-oua.cat.family/?a=commitdiff_plain;h=4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09;p=mastodon.git

Fixed prototype pollution bug and only allow trusted origin (#17420)
---

diff --git a/public/embed.js b/public/embed.js
index dac507453..d597fd33c 100644
--- a/public/embed.js
+++ b/public/embed.js
@@ -15,7 +15,7 @@
     window.addEventListener('message', function(e) {
       var data = e.data || {};
 
-      if (data.type !== 'setHeight' || !iframes[data.id]) {
+      if (data.type !== 'setHeight' || !iframes[data.id] || window.location.origin !== e.origin || data.id.toString() === '__proto__') {
         return;
       }