From b22238792301b17579096f5c5dc8faaa8add1e27 Mon Sep 17 00:00:00 2001 From: Ilya Laktyushin Date: Thu, 30 Apr 2026 12:14:39 +0200 Subject: [PATCH] Make origin check optional --- .../WebUI/Sources/WebAppController.swift | 7 ++++- submodules/WebUI/Sources/WebAppWebView.swift | 27 +++++++++++++++++-- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/submodules/WebUI/Sources/WebAppController.swift b/submodules/WebUI/Sources/WebAppController.swift index 90202b3f4c..64616b7429 100644 --- a/submodules/WebUI/Sources/WebAppController.swift +++ b/submodules/WebUI/Sources/WebAppController.swift @@ -516,7 +516,12 @@ public final class WebAppController: ViewController, AttachmentContainable { return } #endif*/ - self.webView?.bindTrustedOrigin(from: url) + + if !"".isEmpty { + self.webView?.bindTrustedOrigin(from: url) + } else { + self.webView?.setupEventProxySource() + } self.webView?.load(URLRequest(url: url)) } diff --git a/submodules/WebUI/Sources/WebAppWebView.swift b/submodules/WebUI/Sources/WebAppWebView.swift index f722ace6e7..edf115e500 100644 --- a/submodules/WebUI/Sources/WebAppWebView.swift +++ b/submodules/WebUI/Sources/WebAppWebView.swift @@ -43,7 +43,19 @@ private func jsStringLiteral(_ value: String) -> String { return "\"\"" } -private func eventProxySource(trustedOrigin: String) -> String { +private func eventProxySource() -> String { + return """ + (function() { + var TelegramWebviewProxyProto = function() {}; + TelegramWebviewProxyProto.prototype.postEvent = function(eventName, eventData) { + window.webkit.messageHandlers.performAction.postMessage({'eventName': eventName, 'eventData': eventData}); + }; + window.TelegramWebviewProxy = new TelegramWebviewProxyProto(); + })(); + """ +} + +private func securedEventProxySource(trustedOrigin: String) -> String { return """ (function() { if (window.location.origin !== \(jsStringLiteral(trustedOrigin))) { @@ -202,6 +214,7 @@ final class WebAppWebView: WKWebView { print() } + var useSecuredEventProxy = true func bindTrustedOrigin(from url: URL) { guard self.trustedOrigin == nil else { return @@ -212,7 +225,14 @@ final class WebAppWebView: WKWebView { self.trustedOrigin = origin - let eventProxyScript = WKUserScript(source: eventProxySource(trustedOrigin: origin), injectionTime: .atDocumentStart, forMainFrameOnly: true) + let eventProxyScript = WKUserScript(source: securedEventProxySource(trustedOrigin: origin), injectionTime: .atDocumentStart, forMainFrameOnly: true) + self.configuration.userContentController.addUserScript(eventProxyScript) + } + + func setupEventProxySource() { + self.useSecuredEventProxy = false + + let eventProxyScript = WKUserScript(source: eventProxySource(), injectionTime: .atDocumentStart, forMainFrameOnly: true) self.configuration.userContentController.addUserScript(eventProxyScript) } @@ -220,6 +240,9 @@ final class WebAppWebView: WKWebView { guard message.frameInfo.isMainFrame else { return false } + if !self.useSecuredEventProxy { + return true + } guard let trustedOrigin = self.trustedOrigin else { return false }