fix(trace-viewer): allow opt-in postMessage origin via search param#40976
Open
adityasingh2400 wants to merge 1 commit into
Open
fix(trace-viewer): allow opt-in postMessage origin via search param#40976adityasingh2400 wants to merge 1 commit into
adityasingh2400 wants to merge 1 commit into
Conversation
The same-origin postMessage check added in microsoft#40548 closed off a legitimate integration used by third-party HTML report systems where the trace viewer iframe is hosted on a different origin than the report shell. Restore those flows through an explicit ?allowPostMessageOrigin=<origin> query param while keeping the strict same-origin default for everyone else. The opt-in is normalized through the URL parser so callers cannot smuggle in paths or wildcards, and a single origin is supported per load. Fixes microsoft#40960.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #40960.
PR #40548 tightened the trace viewer postMessage origin check to require same-origin, which fixed a security concern but broke single-file HTML report integrations where the trace viewer iframe is hosted on a different origin than the report shell. This restores those workflows through an explicit
?allowPostMessageOrigin=<origin>query param, while keeping the strict same-origin default for everyone else.The opt-in is normalized through the URL parser so callers cannot smuggle in paths or wildcards, and a single trusted origin is supported per load. Reports such as Allure can now embed
https://trace.playwright.dev/?allowPostMessageOrigin=https://reports.example.comand pass an in-memory trace blob, while pages that load the viewer without the query param continue to reject cross-origin messages exactly as before.Added two tests covering both paths: one verifies that a cross-origin embedder is still ignored by default, and one verifies that the same embedder is accepted once it appears in the opt-in query param.