Skip to content

Validate script message origin (host:port)#4470

Merged
bgoncal merged 2 commits intomainfrom
add-port-compare
Apr 2, 2026
Merged

Validate script message origin (host:port)#4470
bgoncal merged 2 commits intomainfrom
add-port-compare

Conversation

@bgoncal
Copy link
Copy Markdown
Member

@bgoncal bgoncal commented Apr 2, 2026

Summary

Screenshots

Link to pull request in Documentation repository

Documentation: home-assistant/companion.home-assistant#

Any other notes

@bgoncal bgoncal requested a review from TimoPtr April 2, 2026 12:06
@bgoncal bgoncal self-assigned this Apr 2, 2026
Copilot AI review requested due to automatic review settings April 2, 2026 12:06
@bgoncal bgoncal added the WebView label Apr 2, 2026
@bgoncal bgoncal mentioned this pull request Apr 2, 2026
Merged
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens the WKScriptMessageHandler allow-list by validating the message’s origin using host:port instead of only host, aiming to better restrict which web content can communicate with the native bridge.

Changes:

  • Updated SafeScriptMessageHandler to include the origin port in allow/deny decisions.
  • Added port normalization for configured server URLs (defaulting http/https to 80/443 when the URL omits an explicit port).
  • Updated unit tests to exercise host+port allow/deny behavior and renamed an origin-related test.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
Tests/App/WebView/SafeScriptMessageHandlerTests.swift Updates tests to pass ports into shouldAllowMessage and adds a negative case for mismatched ports.
Sources/App/Frontend/ExternalMessageBus/SafeScriptMessageHandler.swift Switches validation from host-only to host+port “origin key” and adds URL port normalization for configured server addresses.

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 2, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@c8f35e4). Learn more about missing BASE report.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #4470   +/-   ##
=======================================
  Coverage        ?   42.33%           
=======================================
  Files           ?      268           
  Lines           ?    15758           
  Branches        ?        0           
=======================================
  Hits            ?     6671           
  Misses          ?     9087           
  Partials        ?        0

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@bgoncal bgoncal merged commit 034b8b3 into main Apr 2, 2026
19 of 20 checks passed
@bgoncal bgoncal deleted the add-port-compare branch April 2, 2026 20:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@TimoPtr TimoPtr Awaiting requested review from TimoPtr

Assignees

@bgoncal bgoncal

Labels

cla-signed connection WebView

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bgoncal @TimoPtr