diff --git a/src/WidgetMessaging.js b/src/WidgetMessaging.js index 5f877bd48a..3b3926b724 100644 --- a/src/WidgetMessaging.js +++ b/src/WidgetMessaging.js @@ -41,9 +41,18 @@ if (!global.mxToWidgetMessaging) { const OUTBOUND_API_NAME = 'toWidget'; export default class WidgetMessaging { - constructor(widgetId, widgetUrl, isUserWidget, target) { + /** + * @param {string} widgetId The widget's ID + * @param {string} wurl The raw URL of the widget as in the event (the 'wURL') + * @param {string} renderedUrl The url used in the widget's iframe (either similar to the wURL + * or a different URL of the clients choosing if it is using its own impl). + * @param {bool} isUserWidget If true, the widget is a user widget, otherwise it's a room widget + * @param {object} target Where widget messages should be sent (eg. the iframe object) + */ + constructor(widgetId, wurl, renderedUrl, isUserWidget, target) { this.widgetId = widgetId; - this.widgetUrl = widgetUrl; + this.wurl = wurl; + this.renderedUrl = renderedUrl; this.isUserWidget = isUserWidget; this.target = target; this.fromWidget = global.mxFromWidgetMessaging; @@ -128,19 +137,19 @@ export default class WidgetMessaging { } start() { - this.fromWidget.addEndpoint(this.widgetId, this.widgetUrl); + this.fromWidget.addEndpoint(this.widgetId, this.renderedUrl); this.fromWidget.addListener("get_openid", this._onOpenIdRequest); } stop() { - this.fromWidget.removeEndpoint(this.widgetId, this.widgetUrl); + this.fromWidget.removeEndpoint(this.widgetId, this.renderedUrl); this.fromWidget.removeListener("get_openid", this._onOpenIdRequest); } async _onOpenIdRequest(ev, rawEv) { if (ev.widgetId !== this.widgetId) return; // not interesting - const widgetSecurityKey = WidgetUtils.getWidgetSecurityKey(this.widgetId, this.widgetUrl, this.isUserWidget); + const widgetSecurityKey = WidgetUtils.getWidgetSecurityKey(this.widgetId, this.wurl, this.isUserWidget); const settings = SettingsStore.getValue("widgetOpenIDPermissions"); if (settings.deny && settings.deny.includes(widgetSecurityKey)) { @@ -161,7 +170,7 @@ export default class WidgetMessaging { // Actually ask for permission to send the user's data Modal.createTrackedDialog("OpenID widget permissions", '', WidgetOpenIDPermissionsDialog, { - widgetUrl: this.widgetUrl, + widgetUrl: this.wurl, widgetId: this.widgetId, isUserWidget: this.isUserWidget, diff --git a/src/components/views/elements/AppTile.js b/src/components/views/elements/AppTile.js index ae5fe9a35c..80db1718f6 100644 --- a/src/components/views/elements/AppTile.js +++ b/src/components/views/elements/AppTile.js @@ -424,13 +424,13 @@ export default class AppTile extends React.Component { _setupWidgetMessaging() { // FIXME: There's probably no reason to do this here: it should probably be done entirely // in ActiveWidgetStore. - - // We use the app's URL over the rendered URL so that anything the widget does which could - // lead to requesting a "security key" will pass accordingly. The only other thing this URL - // is used for is to determine the origin we're talking to, and therefore we don't need the - // fully templated URL. const widgetMessaging = new WidgetMessaging( - this.props.app.id, this._getRenderedUrl(), this.props.userWidget, this._appFrame.current.contentWindow); + this.props.app.id, + this.props.app.url, + this._getRenderedUrl(), + this.props.userWidget, + this._appFrame.current.contentWindow, + ); ActiveWidgetStore.setWidgetMessaging(this.props.app.id, widgetMessaging); widgetMessaging.getCapabilities().then((requestedCapabilities) => { console.log(`Widget ${this.props.app.id} requested capabilities: ` + requestedCapabilities);