remove ability to inject arbitrary scripts

facebook · Sep 11, 2019 · 8a6cd3c · 8a6cd3c
1 parent d51f062
commit 8a6cd3c
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 5 deletions.
diff --git a/packages/react-devtools-extensions/src/inject.js b/packages/react-devtools-extensions/src/inject.js
@@ -2,8 +2,13 @@
 
 export default function inject(scriptName: string, done: ?Function) {
   const source = `
+  // the prototype stuff is in case document.createElement has been modified
   (function () {
-    window.postMessage({ source: 'react-devtools-inject-script', scriptName: "${scriptName}" }, "*");
+    var script = document.constructor.prototype.createElement.call(document, 'script');
+    script.src = "${scriptName}";
+    script.charset = "utf-8";
+    document.documentElement.appendChild(script);
+    script.parentNode.removeChild(script);
   })()
   `;
 
@@ -16,4 +21,4 @@ export default function inject(scriptName: string, done: ?Function) {
       done();
     }
   });
-}
+}
diff --git a/packages/react-devtools-extensions/src/injectGlobalHook.js b/packages/react-devtools-extensions/src/injectGlobalHook.js
@@ -31,10 +31,10 @@ window.addEventListener('message', function(evt) {
         reactBuildType: evt.data.reactBuildType,
       };
       chrome.runtime.sendMessage(lastDetectionResult);
-    } else if (evt.data.source === 'react-devtools-inject-script' && evt.data.scriptName) {
+    } else if (evt.data.source === 'react-devtools-inject-backend') {
       //Inject the specified script
       var script = document.constructor.prototype.createElement.call(document, 'script');
-      script.src = evt.data.scriptName;
+      script.src = chrome.runtime.getURL('build/backend.js');
       script.charset = "utf-8";
       document.documentElement.appendChild(script);
       script.parentNode.removeChild(script);

diff --git a/packages/react-devtools-extensions/src/main.js b/packages/react-devtools-extensions/src/main.js
@@ -135,7 +135,18 @@ function createPanelIfReactLoaded() {
 
         // Initialize the backend only once the Store has been initialized.
         // Otherwise the Store may miss important initial tree op codes.
-        inject(chrome.runtime.getURL('build/backend.js'));
+        chrome.devtools.inspectedWindow.eval(
+          `window.postMessage({ source: 'react-devtools-inject-backend' });`, 
+          function(response, error) {
+          if (error) {
+            console.log(error);
+          }
+
+          if (typeof done === 'function') {
+            done();
+          }
+        }
+        );
 
         const viewElementSourceFunction = createViewElementSource(
           bridge,