From db9c6108ba51d531fb642fab2846fd85e38991df Mon Sep 17 00:00:00 2001
From: Joachim Bauch <bauch@struktur.de>
Date: Tue, 28 Apr 2015 18:52:24 +0200
Subject: [PATCH 1/3] Load sandbox iframes from "blob:" urls. Firefox doesn't
 support "data:" urls for this.

---
 server.conf.in                |  2 +-
 static/js/services/sandbox.js | 11 +++++++++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/server.conf.in b/server.conf.in
index a02df90c..07bb0698 100644
--- a/server.conf.in
+++ b/server.conf.in
@@ -109,7 +109,7 @@ serverRealm = local
 ; data: URL for images.
 ; The currently recommended CSP is:
 ;   default-src 'self';
-;   frame-src 'self' data:;
+;   frame-src 'self' blob:;
 ;   style-src 'self' 'unsafe-inline';
 ;   img-src 'self' data: blob:;
 ;   connect-src 'self' wss://server:port/ws blob:;
diff --git a/static/js/services/sandbox.js b/static/js/services/sandbox.js
index c9a17e01..f3046c93 100644
--- a/static/js/services/sandbox.js
+++ b/static/js/services/sandbox.js
@@ -26,12 +26,15 @@ define(["jquery", "underscore"], function($, _) {
 
 		var Sandbox = function(iframe, template) {
 			this.iframe = iframe;
-			this.iframe.src = "data:text/html;charset=utf-8," + $window.encodeURI(template);
+			var blob = new $window.Blob([template], {type: "text/html;charset=utf-8"});
+			this.url = $window.URL.createObjectURL(blob);
+			this.iframe.src = this.url;
 			this.target = this.iframe.contentWindow;
 			this.e = $({});
 			this.handler = _.bind(this.onPostMessageReceived, this);
 			this.ready = false;
 			this.pending_messages = [];
+			this.origin = $window.location.protocol + "//" + $window.location.host;
 			$window.addEventListener("message", this.handler, false);
 		};
 
@@ -40,10 +43,14 @@ define(["jquery", "underscore"], function($, _) {
 				$window.removeEventListener("message", this.handler, false);
 				this.handler = null;
 			}
+			if (this.url) {
+				$window.URL.revokeObjectURL(this.url);
+				this.url = null;
+			}
 		};
 
 		Sandbox.prototype.onPostMessageReceived = function(event) {
-			if (event.origin !== "null" || event.source !== this.target) {
+			if ((event.origin !== "null" && event.origin !== this.origin) || event.source !== this.target) {
 				// the sandboxed data-url iframe has "null" as origin
 				return;
 			}

From e6954bd2ae9458448fbe2c1922335c422cb49885 Mon Sep 17 00:00:00 2001
From: Joachim Bauch <bauch@struktur.de>
Date: Tue, 28 Apr 2015 18:56:37 +0200
Subject: [PATCH 2/3] Firefox doesn't allow access to some computed styles in
 sandboxes. We return an empty style to WebODF in that case.

---
 static/js/sandboxes/webodf.js | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/static/js/sandboxes/webodf.js b/static/js/sandboxes/webodf.js
index ba5f7257..140a370c 100644
--- a/static/js/sandboxes/webodf.js
+++ b/static/js/sandboxes/webodf.js
@@ -73,6 +73,30 @@
 		f.readAsText(bb);
 	};
 
+	var EmptyFakeStyle = function() {
+	};
+
+	EmptyFakeStyle.prototype.getPropertyValue = function(property) {
+		return null;
+	}
+
+	var ODFCanvas_getWindow = function() {
+		var result = runtime.orig_getWindow.apply(runtime, arguments);
+		var orig_getComputedStyle = result.getComputedStyle
+
+		// Firefox doesn't allow access to some styles, so return a
+		// fake style for WebODF to use in that case.
+		result.getComputedStyle = function() {
+			var style = orig_getComputedStyle.apply(result, arguments);
+			if (!style) {
+				style = new EmptyFakeStyle();
+			}
+			return style;
+		}
+
+		return result;
+	};
+
 	var WebODFSandbox = function(window) {
 		this.head = document.getElementsByTagName('head')[0];
 		this.canvasDom = document.getElementById("odfcanvas");
@@ -108,6 +132,8 @@
 				runtime.readFile = ODFCanvas_readFile;
 				runtime.orig_loadXML = runtime.loadXML;
 				runtime.loadXML = ODFCanvas_loadXML;
+				runtime.orig_getWindow = runtime.getWindow;
+				runtime.getWindow = ODFCanvas_getWindow;
 
 				that._doOpenFile(source);
 			};

From 4c61ad22a4bd02dfadbf1449acec85540a774b08 Mon Sep 17 00:00:00 2001
From: Joachim Bauch <bauch@struktur.de>
Date: Tue, 28 Apr 2015 19:02:33 +0200
Subject: [PATCH 3/3] Retry loading sandbox through button click.

---
 static/js/directives/youtubevideo.js | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/static/js/directives/youtubevideo.js b/static/js/directives/youtubevideo.js
index 44021e18..bfd213e5 100644
--- a/static/js/directives/youtubevideo.js
+++ b/static/js/directives/youtubevideo.js
@@ -106,7 +106,11 @@ define(['require', 'jquery', 'underscore', 'moment', 'text!partials/youtubevideo
 			var initialState = null;
 			var sandboxApi = null;
 
-			var createSandboxApi = function() {
+			var createSandboxApi = function(force) {
+				if (sandboxApi && force) {
+					sandboxApi.destroy();
+					sandboxApi = null;
+				}
 				if (!sandboxApi) {
 					var sandboxFrame = $("#youtubeplayer", $element)[0];
 
@@ -515,6 +519,10 @@ define(['require', 'jquery', 'underscore', 'moment', 'text!partials/youtubevideo
 				}
 			};
 
+			$scope.loadYouTubeAPI = function() {
+				createSandboxApi(true);
+			};
+
 			$scope.showYouTubeVideo = function() {
 				createSandboxApi();
 				$scope.layout.youtubevideo = true;