Secure notifications
In Notifications 2.8.0 or later with Workspace 19.2.11 or later, you can specify domains that have access to the data that's consumed in OpenFin notifications. You specify these domains using the match patterns
algorithm that underlies the core domain-based security. For a general explanation, see Domain-based rules. Domain-based rules for notifications take a different set of properties, however, and all domains not specified by a rule are blocked.
How it works
At the platform or application level, you provide an array of domainRules
as part of the notifications
object. When you register a notifications client, you can also specify a setAllowedOrigins
function to list the URLs or match patterns of client applications that are allowed access to notifications data.
If you specify allowed domains, the following functions are affected:
-
addEventListener
: responds only to notification events that the client is allowed to access. The following events are triggered only if the client is allowed to access the notification that triggers the event: -
clear
: returns false if the client is not allowed to access the notification -
clearAll
: clears only the notifications that the client is allowed to access -
getAll
: returns only the notifications that the client is allowed to access -
update
: throws an error if the client is not allowed to access the notification, identical to the behavior if the notification does not exist
How to do it
At the platform level, provide the following in your manifest. Use the default
key under notificationRules
to specify globally what domains have access to notifications data:
{
...
"notifications": {
"security": {
"notificationRules": {
"default": {
"allowedOrigins": ["<url-pattern>",...]
}
}
}
}
}
At the application level, provide the following in your manifest. Define the allowedOrigins
under notificationRule
. This rule will only apply to notification data generated by this application and takes precedence over the default
rule defined by platform:
{
...
"notifications": {
"security": {
"notificationRule": {
"allowedOrigins": ["<url-pattern>",...]
}
}
}
}
To override platform-level access rules, you can add the following when you register:
import { setAllowedOrigins } from "@openfin/workspace/notifications";
setAllowedOrigins(['https://*.example.com']);
Updated about 1 month ago