Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@casthub/embed
Advanced tools
@casthub/embed
provides a single Vue 3 hook which can be used to communicate between an iFrame and its parent via postMessage
IPC.
sync
/async
messaging/responsesThis package is available via NPM:
yarn add @casthub/embed
# or
npm install @casthub/embed
For this example, we'll assume the host
is a webpage (example.com
) and the client
is a webpage embedded in an iFrame (frame.example.com
). The only difference between a host
and a client
is that the host
requires an iFrame ref
for binding and sending the messages.
/**
* Host
*/
<template>
<iframe
src="https://frame.example.com"
ref="iframe"
sandbox="allow-scripts"
/>
</template>
<script lang="ts" setup>
import { useEmbed } from '@casthub/embed';
import { ref, onMounted } from 'vue';
const iframe = ref<InstanceType<typeof HTMLIFrame>>();
const { send, events } = useEmbed('host', {
id: 'shared-id',
iframe,
remote: 'https://frame.example.com',
});
// Listen for any synchronous events being emitted over IPC
events.on('yay', payload => {
console.log(payload);
});
onMounted(async () => {
// Send an event to the iFrame and wait for a response.
const response = await send('hello-world', {
hello: 'world',
});
});
</script>
/**
* Client
*/
<template>
<button @click.prevent="submit">Click me!</button>
</template>
<script lang="ts" setup>
import { useEmbed } from '@casthub/embed';
const { handle, post } = useEmbed('client', {
id: 'shared-id',
remote: 'https://example.com',
});
// Resolves incoming (a)synchronous operations.
handle('hello-world', async (payload) => {
if (payload.hello === 'world') {
return 'hey';
}
return 'go away';
});
const submit = () => {
// Send a synchronous event to the host
post('yay', { test: 123 });
};
</script>
This example shows:
Since communication is bi-directional, you can use any of the methods on either Host or Client. For example, asynchronous operations aren't limited to Host -> Client, the Client can also call asynchronous operations and the Host can register handlers/resolvers.
Option | Default | Type | Description |
---|---|---|---|
id | [Required] | String | The Host and Client that you want to talk to each other should share the _same_ ID. |
timeout | 15000 | Number | Configures the global timeout for all asynchronous operations against this ID pair. |
iframe | [Required for Host] | Ref<InstanceType<typeof HTMLIFrame>> | A Vue 3 ref for a Template reference. |
remote | * | String | A remote URL to limit who can recieve/process Events over this Host/Client pair. |
By default, if you don't supply a remote
, the library will process all incoming messages and send events that any party can recieve. By setting this to a URL (See above example), you can limit this and hugely reduce the impact it has on security.
1.0.25 (2022-01-18)
FAQs
Vue 3 Utility Hook for cross-origin iFrame IPC
The npm package @casthub/embed receives a total of 0 weekly downloads. As such, @casthub/embed popularity was classified as not popular.
We found that @casthub/embed demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.