fix(security): origin check on service-worker message handler (CodeQL js/missing-origin-check) (#208)

MartinCastroAlvarez · martin-castro-laminr-ai · claude · web-flow · commit 5e8fb6e33b9e · 2026-05-27T00:07:13.000+02:00
The PWA service worker's `message` handler (the `dar:purge` cache-on-logout hook, #200) processed messages without verifying the sender origin — CodeQL `js/missing-origin-check` (medium). A cross-origin frame must never be able to drive the SW cache. Add `if (event.origin && event.origin !== self.location.origin) return;` so only same-origin clients (the SPA pages this worker controls) can trigger a purge. Same-origin internal `client.postMessage` (empty origin) is still accepted; anything cross-origin is dropped. This is the one open CodeQL alert on main (the other 10 are fixed via #191/#193). Clears it → 0 open. Test asserts the served SW embeds the origin check. Co-authored-by: Martin Castro Laminrs <mcastro@laminr.ai> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/django_admin_react/templates/admin_react/sw.js b/django_admin_react/templates/admin_react/sw.js
@@ -46,6 +46,15 @@ self.addEventListener('activate', (event) => {
 
 // --- cache purge on logout (contract §5) ----------------------------------
 self.addEventListener('message', (event) => {
+  // Origin check (CodeQL js/missing-origin-check): only honour messages
+  // from our own origin — the SPA pages this worker controls. A
+  // cross-origin frame must never be able to drive the cache. When the
+  // message comes from a same-origin client, `event.origin` is our
+  // origin; for some internal client.postMessage paths it can be the
+  // empty string — both are accepted, anything else is dropped.
+  if (event.origin && event.origin !== self.location.origin) {
+    return;
+  }
   if (event.data && event.data.type === 'dar:purge') {
     event.waitUntil(
       (async () => {
diff --git a/tests/test_pwa.py b/tests/test_pwa.py
@@ -121,6 +121,9 @@ def test_sw_embeds_mount_and_security_guards(anon_client: Client) -> None:
     assert "request.method !== 'GET'" in js
     # Cache-purge-on-logout message handler.
     assert "dar:purge" in js
+    # Origin check on the message handler (CodeQL js/missing-origin-check):
+    # a cross-origin frame must not be able to drive the SW cache.
+    assert "event.origin" in js and "self.location.origin" in js
 
 
 @pytest.mark.django_db
