From 89e9494530d7c1cc02658efb21e2d2d77030088f Mon Sep 17 00:00:00 2001
From: pavanjoshi914 <pavanj914@gmail.com>
Date: Thu, 3 Aug 2023 23:46:26 +0530
Subject: [PATCH 1/2] fix: events improvements remove enable from emit function
 which causes unnecessary dialogue open post message only for webln enabled
 pages, so that malicious pages doesn't listen to such events this also
 results in emitting the event only when we are on webln enabled page
 signed-off-by: pavan joshi <pavanj914@gmail.com>

---
 src/extension/content-script/onendwebln.js | 3 +--
 src/extension/providers/webln/index.ts     | 3 ---
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/src/extension/content-script/onendwebln.js b/src/extension/content-script/onendwebln.js
index 8b4af99743..13c50b6b12 100644
--- a/src/extension/content-script/onendwebln.js
+++ b/src/extension/content-script/onendwebln.js
@@ -26,7 +26,6 @@ const disabledCalls = ["webln/enable"];
 let isEnabled = false; // store if webln is enabled for this content page
 let isRejected = false; // store if the webln enable call failed. if so we do not prompt again
 let callActive = false; // store if a webln call is currently active. Used to prevent multiple calls in parallel
-
 async function init() {
   const inject = await shouldInject();
   if (!inject) {
@@ -41,7 +40,7 @@ async function init() {
       extractLightningData();
     }
     // forward account changed messaged to inpage script
-    else if (request.action === "accountChanged") {
+    else if (request.action === "accountChanged" && isEnabled) {
       window.postMessage({ action: "accountChanged", scope: "webln" }, "*");
     }
   });
diff --git a/src/extension/providers/webln/index.ts b/src/extension/providers/webln/index.ts
index 817dabc40d..721c97862a 100644
--- a/src/extension/providers/webln/index.ts
+++ b/src/extension/providers/webln/index.ts
@@ -113,16 +113,13 @@ export default class WebLNProvider {
   }
 
   async on(...args: Parameters<EventEmitter["on"]>) {
-    await this.enable();
     return this._eventEmitter.on(...args);
   }
   async emit(...args: Parameters<EventEmitter["emit"]>) {
-    await this.enable();
     return this._eventEmitter.emit(...args);
   }
 
   async off(...args: Parameters<EventEmitter["off"]>) {
-    await this.enable();
     return this._eventEmitter.off(...args);
   }
 

From b6beda0b3c4631a9be6d9657c36e22514c514f03 Mon Sep 17 00:00:00 2001
From: pavanjoshi914 <pavanj914@gmail.com>
Date: Sat, 5 Aug 2023 13:02:47 +0530
Subject: [PATCH 2/2] feat: send messages to all the tabs including inactive
 ones send messaged only to the target origin signed-off-by: pavan joshi
 <pavanj914@gmail.com>

---
 .../actions/accounts/select.ts                | 24 +++++++------------
 src/extension/content-script/onendnostr.js    |  5 +++-
 src/extension/content-script/onendwebln.js    |  5 +++-
 3 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/src/extension/background-script/actions/accounts/select.ts b/src/extension/background-script/actions/accounts/select.ts
index 1f158e2e27..8ac7cd69c2 100644
--- a/src/extension/background-script/actions/accounts/select.ts
+++ b/src/extension/background-script/actions/accounts/select.ts
@@ -47,23 +47,17 @@ export default select;
 // which will then be posted to the window so websites can sync with the switched account
 async function notifyAccountChanged() {
   try {
-    const tabs = await browser.tabs.query({
-      active: true,
-      currentWindow: true,
+    const tabs = await browser.tabs.query({});
+    // Send message to tabs with URLs starting with "http" or "https"
+    const validTabs = tabs.filter((tab) => {
+      const currentUrl = tab.url || "";
+      return currentUrl.startsWith("http") || currentUrl.startsWith("https");
     });
 
-    const currentUrl = tabs.length && tabs[0].url;
-    // http for localhost websites
-    let validTabUrl = null;
-    if (currentUrl)
-      validTabUrl =
-        currentUrl.startsWith("http") || currentUrl.startsWith("https");
-    if (validTabUrl) {
-      browser.tabs.sendMessage(tabs[0].id as number, {
-        action: "accountChanged",
-      });
-    } else {
-      throw new Error("Unable to find active tab");
+    for (const tab of validTabs) {
+      if (tab.id) {
+        await browser.tabs.sendMessage(tab.id, { action: "accountChanged" });
+      }
     }
   } catch (error) {
     console.error("Failed to notify account changed", error);
diff --git a/src/extension/content-script/onendnostr.js b/src/extension/content-script/onendnostr.js
index 708c7bd407..1b234b24d3 100644
--- a/src/extension/content-script/onendnostr.js
+++ b/src/extension/content-script/onendnostr.js
@@ -33,7 +33,10 @@ async function init() {
   browser.runtime.onMessage.addListener((request, sender, sendResponse) => {
     // forward account changed messaged to inpage script
     if (request.action === "accountChanged") {
-      window.postMessage({ action: "accountChanged", scope: "nostr" }, "*");
+      window.postMessage(
+        { action: "accountChanged", scope: "nostr" },
+        window.location.origin
+      );
     }
   });
 
diff --git a/src/extension/content-script/onendwebln.js b/src/extension/content-script/onendwebln.js
index 13c50b6b12..8a52ddaace 100644
--- a/src/extension/content-script/onendwebln.js
+++ b/src/extension/content-script/onendwebln.js
@@ -41,7 +41,10 @@ async function init() {
     }
     // forward account changed messaged to inpage script
     else if (request.action === "accountChanged" && isEnabled) {
-      window.postMessage({ action: "accountChanged", scope: "webln" }, "*");
+      window.postMessage(
+        { action: "accountChanged", scope: "webln" },
+        window.location.origin
+      );
     }
   });