Security note

Tofandel · Jul 14, 2021 · 4fdde1c · 4fdde1c
1 parent 2db1cd1
commit 4fdde1c
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -72,3 +72,12 @@ bus.once('otherTest', (res) => {
   return res + ' for the first time';
 });
 ```
+
+## A note on Security
+
+This library assumes the server is a public page and thus any client can connect to it if a CSP is not configured
+
+Here is the header you can serve from the server to only allow `https://some-client.com` to connect to the server
+```
+Content-Security-Policy: frame-ancestors 'self' https://some-client.com;
+```
diff --git a/index.ts b/index.ts
@@ -1,7 +1,7 @@
 import {TinyEmitter} from 'tiny-emitter';
 
 export default class WindowBus {
-    private emitter = null;
+    private readonly emitter = new TinyEmitter();
 
     private readonly frame: Window = null;
     private readonly origin: string = null;
@@ -10,7 +10,6 @@ export default class WindowBus {
     private queue = {};
 
     constructor(targetWindow?: Window, origin?: string) {
-        this.emitter = new TinyEmitter();
         this.frame = targetWindow || window.parent;
 
         if (!this.frame) {
@@ -93,7 +92,7 @@ export default class WindowBus {
 
     off(action: string, cb?: CallableFunction) {
         if (cb) {
-            const res = this.chains[action].find((v) => v.cb === cb);
+            const res = (this.chains[action] || []).find((v) => v.cb === cb);
             if (res) {
                 cb = res.c;
             }

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "window-bus",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "An ultra light library to communicate between iframes regardless of origin",
   "main": "index.js",
   "files": [