Angular-oauth2-oidc: sessionCheckEventListener should only call this.debug('got info from session check inframe', e) if origin is correct
Describe the bug
Currently the setupSessionCheckEventListener() function logs ALL the events posted with window.postMessage(): https://github.com/manfredsteyer/angular-oauth2-oidc/blob/01b4f20fe72a246f13e239b05126f9bee9c0982f/projects/lib/src/oauth-service.ts#L1046
While this might make sense for events received from the session check frame, this makes absolutely no sense for messages received from other origins.
For example, in my application we use window.postMessage() for communication between iframes a lot. All the messages that are received from other sources (not from the session check frame) should be simply ignored by the oidc library.
This could have been not a huge issue, but since we're logging the whole event object (including all the source and target data), this leads to a huge memory leak. When the source iframe is detached from the DOM, it should be destroyed, but since a reference to its contentWindow is contained in the console now, the contentWindow cannot be garbage collected, so the whole iframe element is retained in memory.
Maximaximum
All 3 comments
Makes sense. PR looks good to me. Thanks! 馃憤
jeroenheijmans
on 27 Aug 2019
@manfredsteyer @jeroenheijmans is this project still being maintained? Could you please review and merge outstanding PRs like this and release a new version? Do you need any help?
Maximaximum
on 9 Dec 2019
I moderate issues and tend to post insights on PRs if I have any. At the moment I don't do merging, releasing, etc. AFAIK Manfred does so only whenever a new major Angular version comes out.
jeroenheijmans
on 9 Dec 2019
Related issues
jeroenheijmans
路
3Comments
zulander1
路
4Comments
jeroenheijmans
路
4Comments
uzzafar
路
4Comments
phrouv
路
4Comments