mirror of
https://github.com/facebook/react.git
synced 2025-11-01 09:12:30 +00:00
09285d5a7f
1. https://github.com/bvaughn/react/commit/9fc04eaf3fb701cdc14f57d5aed48f3126af6c94#diff-2c5e1f5e80e74154e65b2813cf1c3638f85034530e99dae24809ab4ad70d0143 introduced a vulnerability: we listen to `'fetch-file-with-cache'` event from `window` to fetch sources of the file, in which we want to parse hook names. We send this event via `window`, which means any page can also use this and manipulate the extension to perform some `fetch()` calls. With these changes, instead of transporting message via `window`, we have a distinct content script, which is responsible for fetching sources. It is notified via `chrome.runtime.sendMessage` api, so it can't be manipulated. 2. Consistent structure of messages `{source: string, payload: object}` in different parts of the extension 3. Added some wrappers around `chrome.scripting.executeScript` API in `packages/react-devtools-extensions/src/background/executeScript.js`, which support custom flow for Firefox, to simulate support of `ExecutionWorld.MAIN`.
30 lines
798 B
JavaScript
30 lines
798 B
JavaScript
import {installHook} from 'react-devtools-shared/src/hook';
|
|
|
|
// avoid double execution
|
|
if (!window.hasOwnProperty('__REACT_DEVTOOLS_GLOBAL_HOOK__')) {
|
|
installHook(window);
|
|
|
|
// detect react
|
|
window.__REACT_DEVTOOLS_GLOBAL_HOOK__.on(
|
|
'renderer',
|
|
function ({reactBuildType}) {
|
|
window.postMessage(
|
|
{
|
|
source: 'react-devtools-hook',
|
|
payload: {
|
|
type: 'react-renderer-attached',
|
|
reactBuildType,
|
|
},
|
|
},
|
|
'*',
|
|
);
|
|
},
|
|
);
|
|
|
|
// save native values
|
|
window.__REACT_DEVTOOLS_GLOBAL_HOOK__.nativeObjectCreate = Object.create;
|
|
window.__REACT_DEVTOOLS_GLOBAL_HOOK__.nativeMap = Map;
|
|
window.__REACT_DEVTOOLS_GLOBAL_HOOK__.nativeWeakMap = WeakMap;
|
|
window.__REACT_DEVTOOLS_GLOBAL_HOOK__.nativeSet = Set;
|
|
}
|