Make origin check optional

This commit is contained in:
Ilya Laktyushin 2026-04-30 12:14:39 +02:00
parent 00f87c7b6e
commit b222387923
2 changed files with 31 additions and 3 deletions

View file

@ -516,7 +516,12 @@ public final class WebAppController: ViewController, AttachmentContainable {
return
}
#endif*/
self.webView?.bindTrustedOrigin(from: url)
if !"".isEmpty {
self.webView?.bindTrustedOrigin(from: url)
} else {
self.webView?.setupEventProxySource()
}
self.webView?.load(URLRequest(url: url))
}

View file

@ -43,7 +43,19 @@ private func jsStringLiteral(_ value: String) -> String {
return "\"\""
}
private func eventProxySource(trustedOrigin: String) -> String {
private func eventProxySource() -> String {
return """
(function() {
var TelegramWebviewProxyProto = function() {};
TelegramWebviewProxyProto.prototype.postEvent = function(eventName, eventData) {
window.webkit.messageHandlers.performAction.postMessage({'eventName': eventName, 'eventData': eventData});
};
window.TelegramWebviewProxy = new TelegramWebviewProxyProto();
})();
"""
}
private func securedEventProxySource(trustedOrigin: String) -> String {
return """
(function() {
if (window.location.origin !== \(jsStringLiteral(trustedOrigin))) {
@ -202,6 +214,7 @@ final class WebAppWebView: WKWebView {
print()
}
var useSecuredEventProxy = true
func bindTrustedOrigin(from url: URL) {
guard self.trustedOrigin == nil else {
return
@ -212,7 +225,14 @@ final class WebAppWebView: WKWebView {
self.trustedOrigin = origin
let eventProxyScript = WKUserScript(source: eventProxySource(trustedOrigin: origin), injectionTime: .atDocumentStart, forMainFrameOnly: true)
let eventProxyScript = WKUserScript(source: securedEventProxySource(trustedOrigin: origin), injectionTime: .atDocumentStart, forMainFrameOnly: true)
self.configuration.userContentController.addUserScript(eventProxyScript)
}
func setupEventProxySource() {
self.useSecuredEventProxy = false
let eventProxyScript = WKUserScript(source: eventProxySource(), injectionTime: .atDocumentStart, forMainFrameOnly: true)
self.configuration.userContentController.addUserScript(eventProxyScript)
}
@ -220,6 +240,9 @@ final class WebAppWebView: WKWebView {
guard message.frameInfo.isMainFrame else {
return false
}
if !self.useSecuredEventProxy {
return true
}
guard let trustedOrigin = self.trustedOrigin else {
return false
}