fix: block non https urls (#295)

Co-authored-by: Praful Koppalkar <[email protected]> Co-authored-by: Arush <[email protected]>
juspay · Apr 18, 2024 · 2c745eb · 2c745eb
1 parent e4d2243
commit 2c745eb
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/src/Window.res b/src/Window.res
@@ -120,6 +120,9 @@ external hostname: string = "hostname"
 @val @scope(("window", "location"))
 external href: string = "href"
 
+@val @scope(("window", "location"))
+external protocol: string = "protocol"
+
 let isSandbox = hostname === "beta.hyperswitch.io"
 
 let isInteg = hostname === "dev.hyperswitch.io"

diff --git a/src/orca-loader/Hyper.res b/src/orca-loader/Hyper.res
@@ -131,6 +131,12 @@ let make = (publishableKey, options: option<JSON.t>, analyticsInfo: option<JSON.
         logger.setLogInfo(~value=Window.href, ~eventName=APP_INITIATED, ~timestamp=sdkTimestamp, ())
       }
     }->Sentry.sentryLogger
+    let isSecure = Window.protocol === "https:"
+    let isLocal = GlobalVars.sdkUrl->String.includes("localhost")
+    if !isSecure && !isLocal {
+      manageErrorWarning(HTTP_NOT_ALLOWED, ~dynamicStr=Window.href, ~logger, ())
+      Exn.raiseError("Insecure domain: " ++ Window.href)
+    }
     switch Window.getHyper->Nullable.toOption {
     | Some(hyperMethod) => {
         logger.setLogInfo(