diff --git a/domain-server/resources/describe-settings.json b/domain-server/resources/describe-settings.json index c813ffc54c..0084e51239 100644 --- a/domain-server/resources/describe-settings.json +++ b/domain-server/resources/describe-settings.json @@ -1285,7 +1285,7 @@ { "name": "entityScriptSourceWhitelist", "label": "Entity Scripts Allowed from:", - "help": "The domains that entity scripts are allowed from. A comma separated list of domains that entity scripts are allowed from, if someone attempts to create and entity or edit an entity to have a different domain, it will be rejected. If left blank, any domain is allowed.", + "help": "Comma separated list of URLs (with optional paths) that entity scripts are allowed from. If someone attempts to create and entity or edit an entity to have a different domain, it will be rejected. If left blank, any domain is allowed.", "placeholder": "", "default": "", "advanced": true diff --git a/libraries/entities/src/EntityTree.cpp b/libraries/entities/src/EntityTree.cpp index fdf95d2775..a3f685f95f 100644 --- a/libraries/entities/src/EntityTree.cpp +++ b/libraries/entities/src/EntityTree.cpp @@ -963,7 +963,17 @@ int EntityTree::processEditPacketData(ReceivedMessage& message, const unsigned c auto entityScriptURL = QUrl::fromUserInput(properties.getScript()); for (const auto& whiteListedPrefix : _entityScriptSourceWhitelist) { - if (entityScriptURL.host().compare(whiteListedPrefix, Qt::CaseInsensitive) == 0) { + auto whiteListURL = QUrl::fromUserInput(whiteListedPrefix); + + if (entityScriptURL.scheme() != whiteListURL.scheme()) { + // isParentOf will be false if the schemes are different, but + } + + qDebug() << "Comparing" << entityScriptURL << "to" << whiteListURL; + qDebug() << whiteListURL.isParentOf(entityScriptURL); + + // check if this script URL matches the whitelist domain and, optionally, is beneath the path + if (whiteListURL.isParentOf(entityScriptURL)) { passedWhiteList = true; break; }