Merge pull request #207 from fancycode/sandbox_firefox_fixes

Improve sandbox support for Firefox
10 years ago · 05ddf4f6a3
4 changed files with 45 additions and 4 deletions
--- a/server.conf.in
+++ b/server.conf.in
@ -109,7 +109,7 @@ serverRealm = local
 ; data: URL for images.
 ; The currently recommended CSP is:
 ;   default-src 'self';
-;   frame-src 'self' data:;
+;   frame-src 'self' blob:;
 ;   style-src 'self' 'unsafe-inline';
 ;   img-src 'self' data: blob:;
 ;   connect-src 'self' wss://server:port/ws blob:;
--- a/static/js/directives/youtubevideo.js
+++ b/static/js/directives/youtubevideo.js
@ -106,7 +106,11 @@ define(['require', 'jquery', 'underscore', 'moment', 'text!partials/youtubevideo
 			var initialState = null;
 			var sandboxApi = null;
-			var createSandboxApi = function() {
+			var createSandboxApi = function(force) {
 				if (sandboxApi && force) {
 					sandboxApi.destroy();
 					sandboxApi = null;
 				}
 				if (!sandboxApi) {
 					var sandboxFrame = $(".youtubeplayer", $element)[0];
@ -541,6 +545,10 @@ define(['require', 'jquery', 'underscore', 'moment', 'text!partials/youtubevideo
 				}
 			};
 			$scope.loadYouTubeAPI = function() {
 				createSandboxApi(true);
 			};
 			$scope.showYouTubeVideo = function() {
 				createSandboxApi();
 				$scope.layout.youtubevideo = true;
--- a/static/js/sandboxes/webodf.js
+++ b/static/js/sandboxes/webodf.js
@ -73,6 +73,30 @@
 		f.readAsText(bb);
 	};
 	var EmptyFakeStyle = function() {
 	};
 	EmptyFakeStyle.prototype.getPropertyValue = function(property) {
 		return null;
 	}
 	var ODFCanvas_getWindow = function() {
 		var result = runtime.orig_getWindow.apply(runtime, arguments);
 		var orig_getComputedStyle = result.getComputedStyle
 		// Firefox doesn't allow access to some styles, so return a
 		// fake style for WebODF to use in that case.
 		result.getComputedStyle = function() {
 			var style = orig_getComputedStyle.apply(result, arguments);
 			if (!style) {
 				style = new EmptyFakeStyle();
 			}
 			return style;
 		}
 		return result;
 	};
 	var WebODFSandbox = function(window) {
 		this.head = document.getElementsByTagName('head')[0];
 		this.canvasDom = document.getElementById("odfcanvas");
@ -108,6 +132,8 @@
 				runtime.readFile = ODFCanvas_readFile;
 				runtime.orig_loadXML = runtime.loadXML;
 				runtime.loadXML = ODFCanvas_loadXML;
 				runtime.orig_getWindow = runtime.getWindow;
 				runtime.getWindow = ODFCanvas_getWindow;
 				that._doOpenFile(source);
 			};
--- a/static/js/services/sandbox.js
+++ b/static/js/services/sandbox.js
@ -26,12 +26,15 @@ define(["jquery", "underscore"], function($, _) {
 		var Sandbox = function(iframe, template) {
 			this.iframe = iframe;
-			this.iframe.src = "data:text/html;charset=utf-8," + $window.encodeURI(template);
+			var blob = new $window.Blob([template], {type: "text/html;charset=utf-8"});
 			this.url = $window.URL.createObjectURL(blob);
 			this.iframe.src = this.url;
 			this.target = this.iframe.contentWindow;
 			this.e = $({});
 			this.handler = _.bind(this.onPostMessageReceived, this);
 			this.ready = false;
 			this.pending_messages = [];
 			this.origin = $window.location.protocol + "//" + $window.location.host;
 			$window.addEventListener("message", this.handler, false);
 		};
@ -40,10 +43,14 @@ define(["jquery", "underscore"], function($, _) {
 				$window.removeEventListener("message", this.handler, false);
 				this.handler = null;
 			}
 			if (this.url) {
 				$window.URL.revokeObjectURL(this.url);
 				this.url = null;
 			}
 		};
 		Sandbox.prototype.onPostMessageReceived = function(event) {
-			if (event.origin !== "null" || event.source !== this.target) {
+			if ((event.origin !== "null" && event.origin !== this.origin) || event.source !== this.target) {
 				// the sandboxed data-url iframe has "null" as origin
 				return;
 			}