From 2c745ebf4b26703ad600cb0e5d04742d7eda79ee Mon Sep 17 00:00:00 2001 From: Vrishab Srivatsa <136090360+vsrivatsa-juspay@users.noreply.github.com> Date: Thu, 18 Apr 2024 14:23:54 +0530 Subject: [PATCH] fix: block non https urls (#295) Co-authored-by: Praful Koppalkar <126236898+prafulkoppalkar@users.noreply.github.com> Co-authored-by: Arush --- src/Window.res | 3 +++ src/orca-loader/Hyper.res | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/src/Window.res b/src/Window.res index bf5a63b75..b9548f95e 100644 --- a/src/Window.res +++ b/src/Window.res @@ -120,6 +120,9 @@ external hostname: string = "hostname" @val @scope(("window", "location")) external href: string = "href" +@val @scope(("window", "location")) +external protocol: string = "protocol" + let isSandbox = hostname === "beta.hyperswitch.io" let isInteg = hostname === "dev.hyperswitch.io" diff --git a/src/orca-loader/Hyper.res b/src/orca-loader/Hyper.res index b0388e068..47c3f108e 100644 --- a/src/orca-loader/Hyper.res +++ b/src/orca-loader/Hyper.res @@ -131,6 +131,12 @@ let make = (publishableKey, options: option, analyticsInfo: optionSentry.sentryLogger + let isSecure = Window.protocol === "https:" + let isLocal = GlobalVars.sdkUrl->String.includes("localhost") + if !isSecure && !isLocal { + manageErrorWarning(HTTP_NOT_ALLOWED, ~dynamicStr=Window.href, ~logger, ()) + Exn.raiseError("Insecure domain: " ++ Window.href) + } switch Window.getHyper->Nullable.toOption { | Some(hyperMethod) => { logger.setLogInfo(