remove ability to inject arbitrary scripts

2026-01-15 12:15:22 +00:00 · 2019-09-10 18:06:23 -07:00
parent d51f062d03
commit 8a6cd3cd12
3 changed files with 21 additions and 5 deletions
--- a/packages/react-devtools-extensions/src/inject.js
+++ b/packages/react-devtools-extensions/src/inject.js
@@ -2,8 +2,13 @@

 export default function inject(scriptName: string, done: ?Function) {
  const source = `
+  // the prototype stuff is in case document.createElement has been modified
  (function () {
-    window.postMessage({ source: 'react-devtools-inject-script', scriptName: "${scriptName}" }, "*");
+    var script = document.constructor.prototype.createElement.call(document, 'script');
+    script.src = "${scriptName}";
+    script.charset = "utf-8";
+    document.documentElement.appendChild(script);
+    script.parentNode.removeChild(script);
  })()
  `;

@@ -16,4 +21,4 @@ export default function inject(scriptName: string, done: ?Function) {
      done();
    }
  });
-}
+}
--- a/packages/react-devtools-extensions/src/injectGlobalHook.js
+++ b/packages/react-devtools-extensions/src/injectGlobalHook.js
@@ -31,10 +31,10 @@ window.addEventListener('message', function(evt) {
        reactBuildType: evt.data.reactBuildType,
      };
      chrome.runtime.sendMessage(lastDetectionResult);
-    } else if (evt.data.source === 'react-devtools-inject-script' && evt.data.scriptName) {
+    } else if (evt.data.source === 'react-devtools-inject-backend') {
      //Inject the specified script
      var script = document.constructor.prototype.createElement.call(document, 'script');
-      script.src = evt.data.scriptName;
+      script.src = chrome.runtime.getURL('build/backend.js');
      script.charset = "utf-8";
      document.documentElement.appendChild(script);
      script.parentNode.removeChild(script);
--- a/packages/react-devtools-extensions/src/main.js
+++ b/packages/react-devtools-extensions/src/main.js
@@ -135,7 +135,18 @@ function createPanelIfReactLoaded() {

        // Initialize the backend only once the Store has been initialized.
        // Otherwise the Store may miss important initial tree op codes.
-        inject(chrome.runtime.getURL('build/backend.js'));
+        chrome.devtools.inspectedWindow.eval(
+          `window.postMessage({ source: 'react-devtools-inject-backend' });`, 
+          function(response, error) {
+          if (error) {
+            console.log(error);
+          }
+
+          if (typeof done === 'function') {
+            done();
+          }
+        }
+        );

        const viewElementSourceFunction = createViewElementSource(
          bridge,