fix: avoid to post message to origin * (#300)

Author: embbnux

src/index.html

@@ -60,7 +60,7 @@ <h2>Two ways to integrate this widget to your web application</h2>
     </p>
     <div class="collapse" id="config-params">
       <div class="card card-body">
-        <p>Create a browser based app in <a href="https://developer.ringcentral.com/" target="_blank">RingCentral Developer Platform<a> to get appKey, appSecret and appServer.</p>
+        <p>Create a browser based app in <a href="https://developer.ringcentral.com/" target="_blank" rel="noopener noreferrer">RingCentral Developer Platform<a> to get appKey, appSecret and appServer.</p>
         <form>
           <div class="form-group row">
             <label for="appKey" class="col-sm-2 col-form-label">appKey</label>

src/lib/Adapter/index.js

@@ -1,5 +1,6 @@
 import classnames from 'classnames';
 import AdapterCore from 'ringcentral-widgets/lib/AdapterCore';
+import url from 'url';
 
 import parseUri from '../parseUri';
 import messageTypes from './messageTypes';
@@ -292,6 +293,8 @@ class Adapter extends AdapterCore {
 
   _setAppUrl(appUrl) {
     this._appUrl = appUrl;
+    const { protocol, host } = url.parse(appUrl, false);
+    this._appOrigin = `${protocol}//${host}`;
     if (appUrl) {
       this.contentFrameEl.src = appUrl;
       this.contentFrameEl.id = `${this._prefix}-adapter-frame`;
@@ -304,7 +307,7 @@ class Adapter extends AdapterCore {
 
   _postMessage(data) {
     if (this._contentFrameEl.contentWindow) {
-      this._contentFrameEl.contentWindow.postMessage(data, '*');
+      this._contentFrameEl.contentWindow.postMessage(data, this._appOrigin);
     }
   }