new attempt at speaker view xss fix

plugin/notes/plugin.js

@@ -1,4 +1,4 @@
-import speakerViewHTML from './speaker-view.html';
+import speakerViewHTML from './speaker-view.html'
 
 import { marked } from 'marked';
 

plugin/notes/speaker-view.html

@@ -350,8 +350,9 @@
 					layoutDropdown,
 					pendingCalls = {},
 					lastRevealApiCallId = 0,
-					connected = false,
+					connected = false
-					whitelistedWindows = [window.opener];
+
+				var connectionStatus = document.querySelector( '#connection-status' );
 
 				var SPEAKER_LAYOUTS = {
 					'default': 'Default',
@@ -362,15 +363,29 @@
 
 				setupLayout();
 
-				var connectionStatus = document.querySelector( '#connection-status' );
+				let openerOrigin;
+
+				try {
+					openerOrigin = window.opener.location.origin;
+				}
+				catch ( error ) { console.warn( error ) }
+
+				// In order to prevent XSS, the speaker view will only run if its
+				// opener has the same origin as itself
+				if( window.location.origin !== openerOrigin ) {
+					connectionStatus.innerHTML = 'Cross origin error.<br>The speaker window can only be opened from the same origin.';
+					return;
+				}
+
 				var connectionTimeout = setTimeout( function() {
 					connectionStatus.innerHTML = 'Error connecting to main window.<br>Please try closing and reopening the speaker view.';
 				}, 5000 );
 ;
 				window.addEventListener( 'message', function( event ) {
 
-					// Validate the origin of this message to prevent XSS
+					// Validate the origin of all messages to avoid parsing messages
-					if( window.location.origin !== event.origin && whitelistedWindows.indexOf( event.source ) === -1 ) {
+					// that aren't meant for us
+					if( window.location.origin !== event.origin ) {
 						return;
 					}
 
@@ -539,8 +554,6 @@
 					upcomingSlide.setAttribute( 'src', upcomingURL );
 					document.querySelector( '#upcoming-slide' ).appendChild( upcomingSlide );
 
-					whitelistedWindows.push( currentSlide.contentWindow, upcomingSlide.contentWindow );
-
 				}
 
 				/**