From 2f12c4e22cbd8149f8c40b3129f9259415f0935e Mon Sep 17 00:00:00 2001
From: SilenceLurker <slvccans@gmail.com>
Date: Wed, 24 Dec 2025 22:31:43 +0800
Subject: [PATCH] Security Update

---
 core/tavern-helper/main.js              |  7 +++++++
 core/tavern-helper/renderer-bindings.js | 27 +++++++++++++------------
 core/tavern-helper/renderer.js          |  6 ++++++
 3 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/core/tavern-helper/main.js b/core/tavern-helper/main.js
index 54c4cc8..4f39878 100644
--- a/core/tavern-helper/main.js
+++ b/core/tavern-helper/main.js
@@ -687,6 +687,13 @@ export function initializeApiListener() {
             return;
         }
 
+        // 终极安全修复：验证消息源窗口是否为已知的、由 renderer.js 创建的 iframe
+        // 这是防止来自控制台或恶意扩展的同源攻击的关键
+        if (!window.Amily2Renderer?.winMap?.has(event.source)) {
+            console.warn('[Amily2-Security] 收到来自未知源窗口的消息，已忽略。', event.source);
+            return;
+        }
+
         const handler = apiHandlers.get(data.request);
         const callbackRequest = `${data.request}_callback`;
 
diff --git a/core/tavern-helper/renderer-bindings.js b/core/tavern-helper/renderer-bindings.js
index d24bcbc..f02bace 100644
--- a/core/tavern-helper/renderer-bindings.js
+++ b/core/tavern-helper/renderer-bindings.js
@@ -20,20 +20,21 @@ export function initializeRendererBindings() {
         if (!extension_settings[extensionName]) {
             extension_settings[extensionName] = {};
         }
-        extension_settings[extensionName].amily_render_enabled = isChecked;
-        saveSettingsDebounced();
+        const wasEnabled = extension_settings[extensionName].amily_render_enabled;
+        const isEnabled = this.checked;
+        extension_settings[extensionName].amily_render_enabled = isEnabled;
 
-        if (isChecked && !isRendererInitialized) {
-            initializeRenderer();
-            isRendererInitialized = true;
-            console.log("[Amily2-Renderer] Renderer has been initialized on-demand.");
-        }
-
-        if (isChecked) {
-            renderAllIframes();
-        } else {
-            clearAllIframes();
-        }
+        // 使用防抖保存，避免频繁操作
+        saveSettingsDebounced().then(() => {
+            // 仅在状态实际发生变化时执行渲染或清理
+            if (wasEnabled !== isEnabled) {
+                if (isEnabled) {
+                    renderAllIframes();
+                } else {
+                    clearAllIframes();
+                }
+            }
+        });
     });
 
     container.on('change', '#render-depth', function () {
diff --git a/core/tavern-helper/renderer.js b/core/tavern-helper/renderer.js
index 54232e1..f8ddf62 100644
--- a/core/tavern-helper/renderer.js
+++ b/core/tavern-helper/renderer.js
@@ -493,6 +493,12 @@ function registerIframeMapping(iframe, wrapper) {
 }
 
 function handleIframeMessage(event) {
+    // 安全修复：严格验证消息来源，只处理来自已知 iframe 的消息
+    // 即使是同源，也必须是我们自己创建的 iframe
+    if (!winMap.has(event.source)) {
+        return;
+    }
+
     const data = event.data || {};
     let rec = winMap.get(event.source);
     if (!rec || !rec.iframe) {