From a13d58f6c254aa8cd057edefdd54b229108b633b Mon Sep 17 00:00:00 2001
From: Richard Lewis <richard@smetco.co.uk>
Date: Thu, 24 May 2018 14:58:59 +0100
Subject: [PATCH 1/2] More thorough check of IM URL validity.

---
 src/components/views/elements/AppTile.js | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/components/views/elements/AppTile.js b/src/components/views/elements/AppTile.js
index 0895ede636..e4d003b59b 100644
--- a/src/components/views/elements/AppTile.js
+++ b/src/components/views/elements/AppTile.js
@@ -122,23 +122,32 @@ export default class AppTile extends React.Component {
 
     /**
      * Returns true if specified url is a scalar URL, typically https://scalar.vector.im/api
-     * @param  {[type]}  url URL to check
+     * @param  {[type]}  testUrlString URL to check
      * @return {Boolean} True if specified URL is a scalar URL
      */
-    isScalarUrl(url) {
-        if (!url) {
+    isScalarUrl(testUrlString) {
+        if (!testUrlString) {
             console.error('Scalar URL check failed. No URL specified');
             return false;
         }
 
+        const testUrl = url.parse(testUrlString);
+
         let scalarUrls = SdkConfig.get().integrations_widgets_urls;
         if (!scalarUrls || scalarUrls.length == 0) {
             scalarUrls = [SdkConfig.get().integrations_rest_url];
         }
 
         for (let i = 0; i < scalarUrls.length; i++) {
-            if (url.startsWith(scalarUrls[i])) {
-                return true;
+            const scalarUrl = url.parse(scalarUrls[i]);
+            if (testUrl && scalarUrl) {
+                if (
+                    testUrl.protocol === scalarUrl.protocol &&
+                    testUrl.host === scalarUrl.host &&
+                    testUrl.pathname.startsWith(scalarUrl.pathname)
+                ) {
+                    return true;
+                }
             }
         }
         return false;

From 9753ee8d825001e76e726d2173068ee5d144ac31 Mon Sep 17 00:00:00 2001
From: Richard Lewis <richard@smetco.co.uk>
Date: Thu, 24 May 2018 16:14:18 +0100
Subject: [PATCH 2/2] Better check of jitsi widget message origin.

---
 src/components/views/elements/AppTile.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/components/views/elements/AppTile.js b/src/components/views/elements/AppTile.js
index e4d003b59b..018b6cb342 100644
--- a/src/components/views/elements/AppTile.js
+++ b/src/components/views/elements/AppTile.js
@@ -278,7 +278,12 @@ export default class AppTile extends React.Component {
             event.origin = event.originalEvent.origin;
         }
 
-        if (!this.state.widgetUrl.startsWith(event.origin)) {
+        const widgetUrlObj = url.parse(this.state.widgetUrl);
+        const eventOrigin = url.parse(event.origin);
+        if (
+            eventOrigin.protocol !== widgetUrlObj.protocol ||
+            eventOrigin.host !== widgetUrlObj.host
+        ) {
             return;
         }