test: add unit coverage for PostMessageTransport source validation#536
Open
test: add unit coverage for PostMessageTransport source validation#536
Conversation
PostMessageTransport is the iframe↔host communication layer and contains the primary security boundary (event.source validation). Previously it had zero unit coverage — only exercised indirectly via E2E tests, where the cross-app injection test is a no-op due to cross-origin contentDocument restrictions. Covers 18 test cases across: - Source validation: trusted source delivers, untrusted/null sources dropped silently (no onerror DoS vector), transport survives rejection - Message format: valid requests/notifications delivered; ambient non-JSON-RPC traffic (devtools, extensions) silently ignored; malformed jsonrpc:'2.0' payloads surface via onerror - send(): posts to configured target with '*' targetOrigin - Lifecycle: start() registers listener, close() removes it and fires onclose, post-close messages ignored, multi-transport isolation Uses a minimal in-memory window stub rather than jsdom/happy-dom — consistent with the existing bun test setup which has no DOM configured. Note: the transport validates event.source (window identity), NOT event.origin. send() posts with '*'. Origin is intentionally not part of this transport's trust model.
- TS2352: cast `{ id: string }` through `unknown` before
`MessageEventSource` (lines 366, 370) — no structural overlap
- TS80007: drop ineffective `await` on bun's `.resolves` matcher
(line 355) — it returns void, not Promise<void>
@modelcontextprotocol/ext-apps
@modelcontextprotocol/server-basic-preact
@modelcontextprotocol/server-basic-react
@modelcontextprotocol/server-basic-solid
@modelcontextprotocol/server-basic-svelte
@modelcontextprotocol/server-basic-vanillajs
@modelcontextprotocol/server-basic-vue
@modelcontextprotocol/server-budget-allocator
@modelcontextprotocol/server-cohort-heatmap
@modelcontextprotocol/server-customer-segmentation
@modelcontextprotocol/server-debug
@modelcontextprotocol/server-map
@modelcontextprotocol/server-pdf
@modelcontextprotocol/server-scenario-modeler
@modelcontextprotocol/server-shadertoy
@modelcontextprotocol/server-sheet-music
@modelcontextprotocol/server-system-monitor
@modelcontextprotocol/server-threejs
@modelcontextprotocol/server-transcript
@modelcontextprotocol/server-video-resource
@modelcontextprotocol/server-wiki-explorer
commit: |
ochafik
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
src/message-transport.tsimplementsPostMessageTransport— the iframe↔host communication layer containing the window-identity security boundary (event.sourcevalidation). Previously it had zero unit coverage; the E2E security test attests/e2e/security.spec.ts:335-352is a no-op becauseouterIframe.contentDocumentis null cross-origin, so thepostMessageinjection never fires.This PR adds
src/message-transport.test.tswith 18 tests, 30 assertions.Behaviors covered
Source validation (security boundary at this layer — 4 tests)
eventSourceare deliveredonmessagenoronerrorfire (no DoS vector for the error handler)source: null(browser extensions, devtools) are droppedMessage format validation (6 tests)
onmessagereact-devtools-hook, strings,null, numbers) → silently ignored,onerrornot calledjsonrpc: "2.0"but missing required fields →onerrorcalled,onmessagenot calledonmessage/onerrorhandlers don't crash the listenersend()(2 tests)eventTargetwith"*"targetOriginLifecycle (6 tests)
start()registers amessagelistener onwindowclose()removes the listener — subsequent messages not deliveredclose()firesoncloseif set, doesn't throw if unsetwindoweach accept only messages from their own iframe (realistic host scenario)Architectural notes
Source-vs-origin validation.
PostMessageTransportchecksevent.source(window identity), notevent.origin. This is by design: origin validation lives in the sandbox proxy relay (examples/basic-host/src/sandbox.ts:76,116,127) which sits between the twoPostMessageTransportendpoints and knows both sides' origins. At the endpoints:source === iframe.contentWindowis narrower than an origin check — it picks out one specific iframe, not "anything from port X"So
sourceis the correct check at this layer. Documented in a comment in the test file.Three rejection paths. The implementation distinguishes "not JSON-RPC at all" (silent — iframes receive ambient postMessage traffic from devtools/extensions) from "claims
jsonrpc: '2.0'but malformed" (surfaced viaonerror). Both paths tested explicitly.Test infrastructure
Uses a minimal in-memory
windowstub (~20 LOC) rather than addingjsdom/happy-dom— consistent with the existingbun testsetup which has no DOM configured. Tests the contract (wrong source → callback not fired) rather than implementation details (log messages, internal state).Test results
(87 existing + 18 new, 0 regressions)