AboutSupport
Docs

Secure notifications

Suggest Edits

In Notifications 2.8.0 or later with Workspace 19.2.11 or later, you can specify domains that have access to the data that's consumed in OpenFin notifications. You specify these domains using the match patterns algorithm that underlies the core domain-based security. For a general explanation, see Domain-based rules. Domain-based rules for notifications take a different set of properties, however, and all domains not specified by a rule are blocked.

How it works

At the platform or application level, you provide an array of domainRules as part of the notifications object. When you register a notifications client, you can also specify a setAllowedOrigins function to list the URLs or match patterns of client applications that are allowed access to notifications data.

If you specify allowed domains, the following functions are affected:

  • addEventListener: responds only to notification events that the client is allowed to access. The following events are triggered only if the client is allowed to access the notification that triggers the event:

  • clear: returns false if the client is not allowed to access the notification

  • clearAll: clears only the notifications that the client is allowed to access

  • getAll: returns only the notifications that the client is allowed to access

  • update: throws an error if the client is not allowed to access the notification, identical to the behavior if the notification does not exist

How to do it

At the platform level, provide the following in your manifest. Use the default key under notificationRules to specify globally what domains have access to notifications data:

{
  ...
  "notifications": {
    "security": {
      "notificationRules": {
        "default": {
          "allowedOrigins": ["<url-pattern>",...]
        }
      }
    }
  }
}

At the application level, provide the following in your manifest. Define the allowedOrigins under notificationRule. This rule will only apply to notification data generated by this application and takes precedence over the default rule defined by platform:

{
  ...
  "notifications": {
    "security": {
      "notificationRule": {
        "allowedOrigins": ["<url-pattern>",...]
      }
    }
  }
}

To override platform-level access rules, you can add the following when you register:

import { setAllowedOrigins } from "@openfin/workspace/notifications";

setAllowedOrigins(['https://*.example.com']);

Updated 3 days ago