From 5835a5c200b7336815e3864b6e6b619d758e8b12 Mon Sep 17 00:00:00 2001 From: Tyschenko Date: Tue, 10 Jun 2025 14:00:41 +0100 Subject: [PATCH] fix: Handle messages only coming from the main frame to prevent spoofing from child iframes --- .../java/com/reactnativecommunity/webview/RNCWebView.java | 4 +++- apple/RNCWebViewImpl.m | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/android/src/main/java/com/reactnativecommunity/webview/RNCWebView.java b/android/src/main/java/com/reactnativecommunity/webview/RNCWebView.java index fb394c2b2..f30747fc0 100644 --- a/android/src/main/java/com/reactnativecommunity/webview/RNCWebView.java +++ b/android/src/main/java/com/reactnativecommunity/webview/RNCWebView.java @@ -283,7 +283,9 @@ protected void createRNCWebViewBridge(RNCWebView webView) { @Override public void onPostMessage(@NonNull WebView view, @NonNull WebMessageCompat message, @NonNull Uri sourceOrigin, boolean isMainFrame, @NonNull JavaScriptReplyProxy replyProxy) { - RNCWebView.this.onMessage(message.getData(), sourceOrigin.toString()); + if (isMainFrame) { + RNCWebView.this.onMessage(message.getData(), sourceOrigin.toString()); + } } }; WebViewCompat.addWebMessageListener( diff --git a/apple/RNCWebViewImpl.m b/apple/RNCWebViewImpl.m index 42fbcf888..f01ee9ab4 100644 --- a/apple/RNCWebViewImpl.m +++ b/apple/RNCWebViewImpl.m @@ -779,7 +779,7 @@ - (void)userContentController:(WKUserContentController *)userContentController _disablePromptDuringLoading = NO; } } else if ([message.name isEqualToString:MessageHandlerName]) { - if (_onMessage) { + if (_onMessage && message.frameInfo.mainFrame) { NSMutableDictionary *event = [self baseEvent]; [event addEntriesFromDictionary: @{@"data": message.body}]; [event addEntriesFromDictionary: @{@"url": message.frameInfo.request.URL.absoluteString}];