Verify message origin in Draw.io listener
What does this MR do and why?
Closes Draw.io listener needs to verify message origin (#599715) by verifying the postMessage comes from the same origin as drawioUrl, i.e. gon.diagramsnet_url.
This doesn't fix any (as yet still theoretical) issues that could occur if gon.diagramsnet_url happened to be on the same origin as the GitLab instance itself.
References
- Draw.io listener needs to verify message origin (#599715)
- https://gitlab.com/gitlab-com/gl-security/product-security/appsec/appsec-reviews/-/work_items/326 (staff-only)
Screenshots or screen recordings
Nothing visually changes at all
How to set up and validate locally
Just check Draw.io diagrams still work on your GDK:
- Check out the branch!
- Navigate to a wiki and use the "Insert or edit diagram" button; if you're using the rich-text editor, it'll be under the "+" menu and called "Create or edit diagram".
- Wait a moment for the Draw.io interface to appear.
- Add anything to the diagram using the toolbar at the left.
- Click "Save & Exit" at the top right, and then "Save". The default filename
diagram.drawio.svgis fine. - You should be taken back to the wiki interface with your diagram embedded (either as embed code in the plain-text editor, or visually in the rich-text editor).
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Asherah Connor