From b1abed2f2bb0183d1da639a10d7667f14d8cef07 Mon Sep 17 00:00:00 2001
From: Maxim Baz <github@maximbaz.com>
Date: Sun, 24 Feb 2019 18:30:50 +0100
Subject: [PATCH] Store foreign-origin approvals per frame origin (#36)

---
 src/background.js | 38 ++++++++++++++++++--------------------
 src/inject.js     |  5 +++--
 2 files changed, 21 insertions(+), 22 deletions(-)

diff --git a/src/background.js b/src/background.js
index ffd1329..724116f 100644
--- a/src/background.js
+++ b/src/background.js
@@ -110,7 +110,7 @@ async function dispatchFill(
     fillRequest = Object.assign(deepCopy(fillRequest), {
         allowForeign: allowForeign,
         allowNoSecret: allowNoSecret,
-        approvedForeign: settings.foreignFills[settings.host]
+        foreignFills: settings.foreignFills[settings.host] || {}
     });
 
     var perFrameFillResults = await chrome.tabs.executeScript(settings.tab.id, {
@@ -118,30 +118,28 @@ async function dispatchFill(
         code: `window.browserpass.fillLogin(${JSON.stringify(fillRequest)});`
     });
 
-    // merge fill resutls in a single object
-    var fillResult = perFrameFillResults.reduce(
-        function(merged, frameResult) {
-            if (typeof frameResult.foreignFill !== "undefined") {
-                merged.foreignFill = frameResult.foreignFill;
-            }
-            for (var field in frameResult.filledFields) {
-                if (!merged.filledFields.includes(field)) {
-                    merged.filledFields.push(field);
-                }
-            }
-            return merged;
-        },
-        { filledFields: [] }
-    );
+    // merge filled fields into a single array
+    var filledFields = perFrameFillResults
+        .reduce((merged, frameResult) => merged.concat(frameResult.filledFields), [])
+        .filter((val, i, merged) => merged.indexOf(val) === i);
 
     // if user answered a foreign-origin confirmation,
-    // store the answer in the settings
-    if (typeof fillResult.foreignFill !== "undefined") {
-        settings.foreignFills[settings.host] = fillResult.foreignFill;
+    // store the answers in the settings
+    var needSaveSettings = false;
+    for (var frame of perFrameFillResults) {
+        if (typeof frame.foreignFill !== "undefined") {
+            if (typeof settings.foreignFills[settings.host] === "undefined") {
+                settings.foreignFills[settings.host] = {};
+            }
+            settings.foreignFills[settings.host][frame.foreignOrigin] = frame.foreignFill;
+            needSaveSettings = true;
+        }
+    }
+    if (needSaveSettings) {
         saveSettings(settings);
     }
 
-    return fillResult.filledFields;
+    return filledFields;
 }
 
 /**
diff --git a/src/inject.js b/src/inject.js
index cc0ae39..df8e35e 100644
--- a/src/inject.js
+++ b/src/inject.js
@@ -93,7 +93,7 @@
 
         // ensure the origin is the same, or ask the user for permissions to continue
         if (window.location.origin !== request.origin) {
-            if (!request.allowForeign) {
+            if (!request.allowForeign || request.foreignFills[window.location.origin] === false) {
                 return result;
             }
             var message =
@@ -101,7 +101,8 @@
                 "different origin than the main document in this tab. Do you wish to proceed?\n\n" +
                 `Tab origin: ${request.origin}\n` +
                 `Embedded origin: ${window.location.origin}`;
-            if (!request.approvedForeign) {
+            if (request.foreignFills[window.location.origin] !== true) {
+                result.foreignOrigin = window.location.origin;
                 result.foreignFill = confirm(message);
                 if (!result.foreignFill) {
                     return result;