fix(worker): validate URL origin before importScripts

[marcoscaceres]

Potential fix for https://github.com/speced/respec/security/code-scanning/24

The safest fix is to enforce strict validation/allowlisting of langURL before calling importScripts, and reject anything not matching expected trusted URLs. Also validate propName to prevent unsafe property access, and ensure the loaded language registration function exists before use.

Best single approach without changing intended behavior:

• In worker/respec-worker.js, inside the "highlight-load-lang" case, replace direct importScripts(langURL) with:
  1. Parse URL via new URL(langURL, self.location.href).
  2. Allow only http:/https: schemes.
  3. Restrict to same-origin (url.origin === self.location.origin) so only locally hosted language files load.
  4. Optionally enforce expected path prefix (e.g., /) and .js extension.
  5. Validate propName as a safe identifier and ensure self[propName] is a function before registering.
  6. Wrap in try/catch, log and skip on invalid input.

This keeps dynamic language loading, but removes attacker-controlled arbitrary script URL loading.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[marcoscaceres]

@copilot see the CI error about the commit message. Can you fix that please?

[Copilot]

@copilot see the CI error about the commit message. Can you fix that please?

Done in commit 9faf188. The CI check (action-semantic-pull-request) validates the PR title, not the individual commit messages. The new commit uses fix(worker): validate URL origin before importScripts in highlight-load-lang as the message. The PR title will also need to be updated to a conventional commit format (e.g., fix(worker): validate URL origin before importScripts in highlight-load-lang) for the CI check to pass.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh auth status (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[marcoscaceres]

@copilot Can you fix the lint error from ci?

[Copilot]

@copilot Can you fix the lint error from ci?

Fixed in commit d7c435c. The two Prettier formatting issues were long lines that needed to be broken up — the multi-condition if statement and the long error message string.