Skip to content

Fix security vulnerabilities: XSS, postMessage origin validation, and…#491

Draft
Syedsmaeel wants to merge 4455 commits into
ProtonMail:mainfrom
Syedsmaeel:security-fixes
Draft

Fix security vulnerabilities: XSS, postMessage origin validation, and…#491
Syedsmaeel wants to merge 4455 commits into
ProtonMail:mainfrom
Syedsmaeel:security-fixes

Conversation

@Syedsmaeel
Copy link
Copy Markdown

@Syedsmaeel Syedsmaeel commented Apr 22, 2026

Security Hardening: XSS Prevention and Cross-Window Communication Security

This PR implements critical security improvements and "defense-in-depth" measures across several applications within the Proton WebClients
monorepo. The focus is on preventing Cross-Site Scripting (XSS), securing postMessage communication, and hardening external link handling.

Key Changes

  1. Account Application: XSS Prevention
  • Issue: The user signature was rendered directly using dangerouslySetInnerHTML in the mobile address section without client-side sanitization.
  • Fix: Integrated @proton/sanitize and applied sanitizeMessage() to all signature rendering. This ensures that even if malicious content reaches
    the client, it is neutralized before being injected into the DOM.
  • Files: applications/account/src/lite/components/Address/MobileAddressSection.tsx, applications/account/package.json
  1. Wallet Application: postMessage Origin Validation
  • Issue: The Bitcoin checkout component listened for window messages without validating the event.origin, and checkout success/failure pages sent
    messages using the wildcard * target.
  • Fix:
    • Implemented strict origin validation in Checkout/index.tsx, allowing only the local origin and the verified volt.io domain.
    • Replaced wildcard target origins with window.location.origin in all static checkout HTML files to prevent sensitive state leakage.
  • Files: applications/wallet/src/app/components/BitcoinBuyModal/Checkout/index.tsx, applications/wallet/public/checkout/*.html
  1. Docs Application: Secure Document Duplication
  • Issue: The PublicDocumentCopier component processed postMessage requests for document copying without verifying the source.
  • Fix: Added origin validation to the message listener to ensure requests only originate from authorized Proton Docs instances.
  • Files: applications/docs/src/app/routes/(user)/(document)/doc/__components/PublicDocumentCopier.tsx
  1. Account Application: SSO Token Protection
  • Issue: The external SSO consumer used postMessage without a specific target origin, potentially exposing SSO tokens to malicious windows.
  • Fix: Hardened the postMessage call to explicitly target window.location.origin.
  • Files: applications/account/src/app/content/ExternalSSOConsumer.tsx
  1. General: External Link Hardening
  • Issue: Several external links using target="_blank" were missing rel="noopener noreferrer".
  • Fix: Conducted a sweep and added the missing attributes to protect against "tabnabbing" attacks and improve browser performance.
  • Files: Various components in docs, wallet, and account.

Impact
These changes reduce the attack surface for cross-site attacks and ensure that sensitive user data (like SSO tokens and payment status) is handled
securely during cross-window interactions.

StraightOuttaCrompton and others added 30 commits April 15, 2026 17:46
@StraightOuttaCrompton
Disable 2fa using recovery phrase
eb5a630
@StraightOuttaCrompton
Add phrase telemetry
e91aec7
Merge branch 'CP-11716-unauth-lost-2fa-phrase' into 'main'
ff7221a 
Add recovery phrase to unauth lost 2fa flow

See merge request web/clients!24124
DRVWEB: Implement versioning for Index Populators
88591a1
Merge branch 'DRVWEB-addmissing-table-records' into 'main'
d2e739a 
DRVWEB: Implement versioning for Index Populators

See merge request web/clients!24193
@Linquas
Update proton-meet-core to 1.1.6-13
e65308e
Merge branch 'update-proton-meet-core' into 'main'
389a334 
Update proton-meet-core to 1.1.6-13

See merge request web/clients!24164
i18n(calendar): update translations from crowdin e7d716bd82
be1c993
i18n(mail): update translations from crowdin 52388525fa
b2a233e
i18n(drive): update translations from crowdin e17811209a
b9e41cc
i18n(account): update translations from crowdin 51df79bbc4
6224697
i18n(vpn-settings): update translations from crowdin 62c57bffa8
823a338
i18n(verify): update translations from crowdin 22a383d63a
da3bb5d
i18n(pass): update translations from crowdin 60fd9a767e
54e60ec
i18n(pass-desktop): update translations from crowdin 9a02f35e70
0dd8aa4
i18n(wallet): update translations from crowdin da25d04ca3
318e8f6
i18n(docs): update translations from crowdin ebe94d13c0
6160297
i18n(lumo): update translations from crowdin df2a56e367
5e5a742
i18n(meet): update translations from crowdin 1f15f3aa32
0523533
Merge branch 'translations_2026-04-16_050334_b21999fa' into 'main'
2ff817b 
i18n(weekly-mr:app): Upgrade translations from crowdin (389a334). for webapps

See merge request web/clients!24195
DRVWEB: Search errors sentry/comlink hardening 💪
28cd3ed
Merge branch 'DRVWEB-forward-errors-to-sentry' into 'main'
35e7bf3 
DRVWEB: Search errors sentry/comlink hardening 💪

See merge request web/clients!24163
@fraser-proton
Add comparison table component
7269c40
Merge branch 'comparison-table-component' into 'main'
9f9ca19 
Add comparison table component

See merge request web/clients!24174
Improving Meet recording performance
43daf93
Merge branch 'MEET-657' into 'main'
715440b 
Improving Meet recording performance

See merge request web/clients!21340
@fraser-proton
Feedback first cancellation flow: different account content
5ca2009
Merge branch 'INWEB-883-different-account-content' into 'main'
dc6f112 
Feedback first cancellation flow: different account content

See merge request web/clients!24074
@ElectroNafta
fix(INDA-675): Fix snap running under wayland/x11 with Electron v40
157fa4c
Merge branch 'fix/INDA-675' into 'main'
5d7d179 
fix(INDA-675): Fix snap running under wayland/x11 with Electron v40

See merge request web/clients!24171
MargeBot and others added 28 commits April 22, 2026 07:16
Merge branch 'P3-295-add-store-debug-mode' into 'main'
8a243d3 
Add debug mail store button and modal

See merge request web/clients!24332
@StraightOuttaCrompton
Add unauth lost 2fa e2e tests
fbf652e
Merge branch 'worktree-CP-11716-unauth-lost-2fa-tests' into 'main'
89b47db 
Add Unauth lost 2fa e2e tests

See merge request web/clients!24192
@nguyenkims
change "pass unlimited" to "proton unlimited"
86c49e1
Merge branch 'fix-typo-pass-onboarding' into 'main'
8f1a434 
change "pass unlimited" to "proton unlimited"

See merge request web/clients!24279
@lkpch
Added 1domain support for vpnbiz2023
f4df606
Merge branch 'P2-2113-add-1domain-vpnbiz2023' into 'main'
30f131d 
Added 1domain support for vpnbiz2023

See merge request web/clients!24336
@horejsek
Report block verification to erroring users
b59ec08
Merge branch 'drive/fix-sdk-metrics' into 'main'
bc3e54b 
Report block verification to erroring users

See merge request web/clients!24340
@LeGrosSancho
Attempt to fix drawer apps that cannot be closed
471775a
Merge branch 'use-parent-app-when-resuming-session-failed' into 'main'
3b11c0f 
Attempt to fix drawer apps that cannot be closed

See merge request web/clients!24089
Avoid layout shift when typing in empty composer
a3b3a29
Merge branch 'fix/lumo-layout-shift' into 'main'
ec1f1c1 
Avoid layout shift when typing in empty composer

See merge request web/clients!24330
Tech: add useSubscriptionCheck hook
1619740
Merge branch 'tech/extract-useSubscriptionCheck-hook' into 'main'
6a5a7c0 
Tech: add useSubscriptionCheck hook

See merge request web/clients!24276
@HeadFox
Fix recovery issue with photos
cb95b48
Merge branch 'drive/fix-photos-recovery' into 'main'
03b9351 
Fix recovery issue with photos

See merge request web/clients!24345
@pedroamaroproton
Fix bad org or group name causing issues
cef2cc1
Merge branch 'fix-bad-org-group-name' into 'main'
9e85999 
Fix bad org or group name causing issues

See merge request web/clients!24324
@fraser-proton
Final polishes and orchestrator component for cancellation flow
d57cd90
Merge branch 'feedback-first-cancellation-flow' into 'main'
2d413c1 
Final polishes and orchestrator component for cancellation flow

See merge request web/clients!24146
@RayoProton
MEET-279: participants role, share screen slice and other UIs fixes
2ecd022
Merge branch 'roles-and-ui' into 'main'
64f2c7f 
MEET-279: participants role, share screen slice and other UIs fixes

See merge request web/clients!24334
DRVWEB-5359: Include trashed items in search index (without exposing …
f967382 
…them to search queries)
Merge branch 'DRVWEB-include-trashed-items-in-index' into 'main'
122786f 
DRVWEB-5359: Include trashed items in search index (without exposing them to search queries)

See merge request web/clients!24300
@Swiip
[IDTEAM-5924] Remove cycle param in pass signup, keep the cycle page
11f0e4f
Merge branch 'IDTEAM-5924-remove-cycle-param' into 'main'
8bcad7c 
[IDTEAM-5924] Remove cycle param in pass signup, keep the cycle page

See merge request web/clients!24328
Fix security vulnerabilities: XSS, postMessage origin validation, and…
03ae226 
… insecure links
@Syedsmaeel Syedsmaeel marked this pull request as draft April 22, 2026 16:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.