Merge pull request #41 from bold-commerce/INTER-4337

Insufficient postMessage Validation.

UI/Payment/BoldConfigProvider.php

@@ -92,6 +92,7 @@ public function getConfig(): array
                 'publicOrderId' => $publicOrderId,
                 'countries' => $this->getAllowedCountries(),
                 'alternativePaymentMethods' => $alternativePaymentMethods,
+                'origin' => rtrim($this->config->getApiUrl($websiteId), '/'),
             ],
         ];
     }

UI/Payment/FastlaneConfigProvider.php

@@ -67,7 +67,7 @@ public function getConfig(): array
             $websiteId = (int)$quote->getStore()->getWebsiteId();
             if (!$boldCheckoutData
                 || !$this->config->isPaymentBoosterEnabled($websiteId)
-                || !$this->config->isFastlaneEnabled($websiteId)) {
+                || !$this->config->isFastlaneEnabled($websiteId) || $quote->getCustomer()->getId()) {
                 return [];
             }
             $publicOrderId = $boldCheckoutData['data']['public_order_id'] ?? null;

view/frontend/web/js/view/payment/method-renderer/bold-method.js

@@ -261,7 +261,10 @@ define([
          * @returns {void}
          */
         subscribeToPIGI() {
-            window.addEventListener('message', ({data}) => {
+            window.addEventListener('message', ({ origin, data }) => {
+                if (origin !== window.checkoutConfig.bold.origin) {
+                    return;
+                }
                 const responseType = data.responseType;
                 const iframeElement = document.getElementById('PIGI');
                 const addPaymentAction = {actionType: 'PIGI_ADD_PAYMENT'};