Skip to content

Commit dc680e7

Browse files
committed
fix: allow vault + extension pages in tabs to access sensitive ops
isExtensionSender was blocking ALL messages with sender.tab, including extension pages opened in tabs (vault.html). Now checks if the tab URL starts with the extension origin — allows extension tabs while still blocking content scripts on web pages. Fixes "Unauthorized sender" error when creating a vault.
1 parent 5641c6d commit dc680e7

File tree

17 files changed

+61002
-133
lines changed

17 files changed

+61002
-133
lines changed

distros/safari/api-keys/api-keys.build.js

Lines changed: 790 additions & 11 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

distros/safari/background.build.js

Lines changed: 10669 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

distros/safari/background.js

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -362,11 +362,17 @@ const SENSITIVE_KINDS = new Set([
362362
]);
363363

364364
function isExtensionSender(sender) {
365-
// Messages from extension pages (popup, sidepanel, options) have our ID
366-
// and a URL starting with our extension origin. Content scripts have a
367-
// tab property — they are page context and must not access sensitive ops.
365+
// Messages from extension pages (popup, sidepanel, options, vault) have our ID.
366+
// Content scripts inject into web pages — they have sender.tab but their URL
367+
// is the web page URL, not our extension URL. Extension pages opened in tabs
368+
// (like vault.html) also have sender.tab but their URL starts with our origin.
368369
if (sender.id !== api.runtime.id) return false;
369-
if (sender.tab) return false; // content script context
370+
// If opened in a tab, check the URL is actually our extension (not a content script)
371+
if (sender.tab) {
372+
const extOrigin = `chrome-extension://${api.runtime.id}`;
373+
const url = sender.tab.url || sender.url || '';
374+
return url.startsWith(extOrigin) || url.startsWith('moz-extension://');
375+
}
370376
return true;
371377
}
372378

distros/safari/content.build.js

Lines changed: 363 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

distros/safari/event_history/event_history.build.js

Lines changed: 5428 additions & 12 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

distros/safari/experimental/experimental.build.js

Lines changed: 245 additions & 7 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

distros/safari/nostr-keys/nostr-keys.build.js

Lines changed: 5544 additions & 8 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

distros/safari/nostr.build.js

Lines changed: 113 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

distros/safari/options.build.css

Lines changed: 1945 additions & 1 deletion
Large diffs are not rendered by default.

0 commit comments

Comments
 (0)