Check sender ID in the Dart Debug Extension

dwds/debug_extension_mv3/web/background.dart

@@ -79,6 +79,7 @@ Future<void> _handleRuntimeMessages(
     expectedType: MessageType.isAuthenticated,
     expectedSender: Script.detector,
     expectedRecipient: Script.background,
+    sender: sender,
     messageHandler: (String isAuthenticated) async {
       final dartTab = sender.tab;
       if (dartTab == null) {
@@ -99,6 +100,7 @@ Future<void> _handleRuntimeMessages(
     expectedType: MessageType.debugInfo,
     expectedSender: Script.detector,
     expectedRecipient: Script.background,
+    sender: sender,
     messageHandler: (DebugInfo debugInfo) async {
       final dartTab = sender.tab;
       if (dartTab == null) {
@@ -128,6 +130,7 @@ Future<void> _handleRuntimeMessages(
     expectedType: MessageType.debugStateChange,
     expectedSender: Script.debuggerPanel,
     expectedRecipient: Script.background,
+    sender: sender,
     messageHandler: (DebugStateChange debugStateChange) {
       final newState = debugStateChange.newState;
       final tabId = debugStateChange.tabId;
@@ -142,6 +145,7 @@ Future<void> _handleRuntimeMessages(
     expectedType: MessageType.multipleAppsDetected,
     expectedSender: Script.detector,
     expectedRecipient: Script.background,
+    sender: sender,
     messageHandler: (String multipleAppsDetected) async {
       final dartTab = sender.tab;
       if (dartTab == null) {
@@ -163,6 +167,7 @@ Future<void> _handleRuntimeMessages(
     expectedType: MessageType.appId,
     expectedSender: Script.copier,
     expectedRecipient: Script.background,
+    sender: sender,
     messageHandler: (String appId) {
       displayNotification('Copied app ID: $appId');
     },

dwds/debug_extension_mv3/web/chrome_api.dart

@@ -191,6 +191,8 @@ class Runtime {
 
   external String getURL(String path);
 
+  external String get id;
+
   // Note: Not checking the lastError when one occurs throws a runtime exception.
   external ChromeError? get lastError;
 

dwds/debug_extension_mv3/web/copier.dart

@@ -32,6 +32,7 @@ void _handleRuntimeMessages(
     expectedType: MessageType.appId,
     expectedSender: Script.background,
     expectedRecipient: Script.copier,
+    sender: sender,
     messageHandler: _copyAppId,
   );
 

dwds/debug_extension_mv3/web/messaging.dart

@@ -89,9 +89,12 @@ void interceptMessage<T>({
   required MessageType expectedType,
   required Script expectedSender,
   required Script expectedRecipient,
+  required MessageSender sender,
   required void Function(T message) messageHandler,
 }) {
   if (message == null) return;
+  if (!_isLegitimateSender(sender)) return;
+
   try {
     final decodedMessage = Message.fromJSON(message);
     if (decodedMessage.type != expectedType ||
@@ -187,3 +190,7 @@ Future<bool> _sendMessage({
   }
   return completer.future;
 }
+
+// Verify the message sender is our extension.
+bool _isLegitimateSender(MessageSender sender) =>
+    sender.id == chrome.runtime.id;

dwds/debug_extension_mv3/web/panel.dart

@@ -89,6 +89,7 @@ void _handleRuntimeMessages(
     expectedType: MessageType.debugStateChange,
     expectedSender: Script.background,
     expectedRecipient: Script.debuggerPanel,
+    sender: sender,
     messageHandler: (DebugStateChange debugStateChange) async {
       if (debugStateChange.tabId != _tabId) {
         debugWarn(
@@ -107,6 +108,7 @@ void _handleRuntimeMessages(
     expectedType: MessageType.connectFailure,
     expectedSender: Script.background,
     expectedRecipient: Script.debuggerPanel,
+    sender: sender,
     messageHandler: (ConnectFailure connectFailure) async {
       debugLog(
         'Received connect failure for ${connectFailure.tabId} vs $_tabId',