check against earlier registered origin instead of valid origins

altair-graphql · May 29, 2024 · 1e8b51e · 1e8b51e
1 parent 1058696
commit 1e8b51e
Showing 1 changed file with 3 additions and 4 deletions.
diff --git a/packages/altair-iframe-sandbox/src/evaluator.frame.ts b/packages/altair-iframe-sandbox/src/evaluator.frame.ts
@@ -2,26 +2,25 @@ import {
   ScriptEvaluatorWorker,
   ScriptWorkerMessageData,
 } from 'altair-graphql-core/build/script/types';
-import { validOrigins } from 'altair-graphql-core/build/origins';
 
 export class EvaluatorFrameWorker extends ScriptEvaluatorWorker {
-  origin = '';
+  private origin: string;
 
   constructor() {
     super();
     const params = new URLSearchParams(window.location.search);
     // Get the source origin that embeds the iframe from the URL query parameter
     const source = params.get('sc');
 
-    if (!source || !validOrigins.includes(source)) {
+    if (!source) {
       throw new Error('Invalid source provided!');
     }
     this.origin = source;
   }
 
   onMessage(handler: (e: ScriptWorkerMessageData) => void): void {
     window.addEventListener('message', (e) => {
-      if (e.origin && !validOrigins.includes(e.origin)) {
+      if (e.origin !== this.origin) {
         return;
       }
       handler(e.data);