Merge remote-tracking branch 'origin/main' into garrytan/sidebar-css-inspector

# Conflicts: # browse/src/server.ts # browse/src/sidebar-agent.ts
2026-05-07 14:06:42 +02:00 · 2026-03-29 22:20:56 -07:00
parent 812882d1e6 3cda8deec9
commit fe4441b530
101 changed files with 4863 additions and 531 deletions
@@ -228,6 +228,21 @@ async function sendToContentScript(tabId, message) {
 // ─── Message Handling ──────────────────────────────────────────

 chrome.runtime.onMessage.addListener((msg, sender, sendResponse) => {
+  // Security: only accept messages from this extension's own scripts
+  if (sender.id !== chrome.runtime.id) {
+    console.warn('[gstack] Rejected message from unknown sender:', sender.id);
+    return;
+  }
+
+  const ALLOWED_TYPES = new Set([
+    'getPort', 'setPort', 'getServerUrl', 'fetchRefs',
+    'openSidePanel', 'command', 'sidebar-command'
+  ]);
+  if (!ALLOWED_TYPES.has(msg.type)) {
+    console.warn('[gstack] Rejected unknown message type:', msg.type);
+    return;
+  }
+
  if (msg.type === 'getPort') {
    sendResponse({ port: serverPort, connected: isConnected });
    return true;