From 2d5a2a9d48b3c7446cb00a2b3c8014b4edac3b11 Mon Sep 17 00:00:00 2001
From: Matthew Hodgson <matthew@matrix.org>
Date: Fri, 16 Feb 2018 23:59:48 +0000
Subject: [PATCH] improve origin check of ScalarMessaging postmessage API.

ensures that https://scalar.ve can't access the API.
many thanks to @rugk for pointing out the potential vuln.
cc @rxl881 in case this bug has been transplanted elsewhere.
---
 src/ScalarMessaging.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ScalarMessaging.js b/src/ScalarMessaging.js
index 3c164c6551..fc8ee9edf6 100644
--- a/src/ScalarMessaging.js
+++ b/src/ScalarMessaging.js
@@ -563,7 +563,7 @@ const onMessage = function(event) {
     const url = SdkConfig.get().integrations_ui_url;
     if (
         event.origin.length === 0 ||
-        !url.startsWith(event.origin) ||
+        !url.startsWith(event.origin + '/') ||
         !event.data.action ||
         event.data.api // Ignore messages with specific API set
     ) {