Merge branch 'longsleep-sandboxcsp' into develop

10 years ago · 62480cccdb
10 changed files with 103 additions and 52 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -124,6 +124,7 @@ install:
				@@ -124,6 +124,7 @@ install:
 	@echo "Installing static resources to: $(SHARE)"
 	$(INSTALL) -d $(BIN)
 	$(INSTALL) -d $(SHARE)/www/html
+	$(INSTALL) -d $(SHARE)/www/html/sandboxes
 	$(INSTALL) -d $(SHARE)/www/static
 	$(INSTALL) -d $(SHARE)/www/static/img
 	$(INSTALL) -d $(SHARE)/www/static/sounds
@ -133,7 +134,8 @@ install:
				@@ -133,7 +134,8 @@ install:
 	$(INSTALL) -d $(SHARE)/www/static/js/libs/pdf
 	$(INSTALL) -d $(SHARE)/www/static/js/sandboxes
 	$(INSTALL) bin/$(EXENAME) $(BIN)
-	$(INSTALL) html/* $(SHARE)/www/html
+	$(INSTALL) html/*.html $(SHARE)/www/html
+	$(INSTALL) html/sandboxes/*.html $(SHARE)/www/html/sandboxes
 	$(INSTALL) static/img/* $(SHARE)/www/static/img
 	$(INSTALL) static/sounds/* $(SHARE)/www/static/sounds
 	$(INSTALL) static/fonts/* $(SHARE)/www/static/fonts
--- a/build/build.js
+++ b/build/build.js
@ -50,10 +50,7 @@
				@@ -50,10 +50,7 @@
 			]
 		},
 		{
-			name: 'base',
-			include: [
-				'pdf.compatibility'
-			]
+			name: 'base'
 		},
 		{
 			name: 'app',
@ -64,14 +61,21 @@
				@@ -64,14 +61,21 @@
 			inlineText: true,
 		},
 		{
-			name: 'pdf',
+			name: 'libs/pdf/pdf',
 			dir: './out/libs/pdf',
-			exclude: [
-				'base'
-			]
+			override: {
+				skipModuleInsertion: true
+			}
+		},
+		{
+			name: 'libs/pdf/compatibility',
+			dir: './out/libs/compatibility',
+			override: {
+				skipModuleInsertion: true
+			}
 		},
 		{
-			name: 'pdf.worker',
+			name: 'libs/pdf/pdf.worker',
 			dir: './out/libs/pdf',
 			override: {
 				skipModuleInsertion: true
--- a/static/partials/odfcanvas_sandbox.html
+++ b/static/partials/odfcanvas_sandbox.html
@ -1,8 +1,8 @@
				@@ -1,8 +1,8 @@
-<!DOCTYPE html>
+<!doctype html>
 <html>
 	<head>
 		<title>WebODF Sandbox</title>
-		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src __PARENT_ORIGIN__; img-src data:; style-src 'unsafe-inline'">
+		<base href="<%.Cfg.B%>">
 		<style type="text/css">
 		html, body {
 			height:100%;
@ -35,6 +35,6 @@
				@@ -35,6 +35,6 @@
 		<div id="container">
 			<div id="odfcanvas"></div>
 		</div>
-		<script src="__WEBODF_SANDBOX_JS_URL__" data-parent-origin="__PARENT_ORIGIN__" data-webodf-url="__WEBODF_URL__"></script>
+		<script src="<%.Cfg.S%>/js/sandboxes/webodf.js" data-parent-origin="<%.Origin%>" data-webodf-url="<%.Cfg.S%>/js/libs/webodf.js"></script>
 	</body>
 </html>
--- a/static/partials/pdfcanvas_sandbox.html
+++ b/static/partials/pdfcanvas_sandbox.html
@ -1,8 +1,8 @@
				@@ -1,8 +1,8 @@
-<!DOCTYPE html>
+<!doctype html>
 <html>
 	<head>
 		<title>pdf.js Sandbox</title>
-		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src __PARENT_ORIGIN__ 'unsafe-eval'; img-src 'self'; style-src 'unsafe-inline'">
+		<base href="<%.Cfg.B%>">
 		<style type="text/css">
 		html, body {
 			height:100%;
@ -29,6 +29,6 @@
				@@ -29,6 +29,6 @@
 		<div id="container">
 			<canvas id="canvas0"></canvas><canvas id="canvas1"></canvas>
 		</div>
-		<script src="__PDFJS_SANDBOX_JS_URL__" data-parent-origin="__PARENT_ORIGIN__" data-pdfjs-url="__PDFJS_URL__"  data-pdfjs-worker-url="__PDFJS_WORKER_URL__" data-pdfjs-compatibility-url="__PDFJS_COMPATIBILITY_URL__"></script>
+		<script src="<%.Cfg.S%>/js/sandboxes/pdf.js" data-parent-origin="<%.Origin%>" data-pdfjs-url="<%.Cfg.S%>/js/libs/pdf/pdf.js" data-pdfjs-worker-url="<%.Cfg.S%>/js/libs/pdf/pdf.worker.js" data-pdfjs-compatibility-url="<%.Cfg.S%>/js/libs/pdf/compatibility.js"></script>
 	</body>
 </html>
--- a/src/app/spreed-webrtc-server/context.go
+++ b/src/app/spreed-webrtc-server/context.go
@ -30,4 +30,5 @@ type Context struct {
				@@ -30,4 +30,5 @@ type Context struct {
 	Languages []string
 	Room      string `json:"-"`
 	Scheme    string `json:"-"`
+	Origin    string `json:",omitempty"`
 }
--- a/src/app/spreed-webrtc-server/main.go
+++ b/src/app/spreed-webrtc-server/main.go
@ -36,10 +36,13 @@ import (
				@@ -36,10 +36,13 @@ import (
 	"log"
 	"net/http"
 	_ "net/http/pprof"
+	"net/url"
 	"os"
 	"path"
+	"path/filepath"
 	goruntime "runtime"
 	"strconv"
+	"strings"
 	"syscall"
 	"time"
 )
@ -75,6 +78,20 @@ func roomHandler(w http.ResponseWriter, r *http.Request) {
				@@ -75,6 +78,20 @@ func roomHandler(w http.ResponseWriter, r *http.Request) {

 }

+func sandboxHandler(w http.ResponseWriter, r *http.Request) {
+
+	vars := mux.Vars(r)
+	// NOTE(longsleep): origin_scheme is window.location.protocol (eg. https:, http:).
+	originURL, err := url.Parse(fmt.Sprintf("%s//%s", vars["origin_scheme"], vars["origin_host"]))
+	if err != nil || originURL.Scheme == "" || originURL.Host == "" {
+		http.Error(w, "Invalid origin path", http.StatusBadRequest)
+		return
+	}
+	origin := fmt.Sprintf("%s://%s", originURL.Scheme, originURL.Host)
+	handleSandboxView(vars["sandbox"], origin, w, r)
+
+}
+
 func makeImageHandler(buddyImages ImageCache, expires time.Duration) http.HandlerFunc {

 	return func(w http.ResponseWriter, r *http.Request) {
@ -158,6 +175,42 @@ func handleRoomView(room string, w http.ResponseWriter, r *http.Request) {
				@@ -158,6 +175,42 @@ func handleRoomView(room string, w http.ResponseWriter, r *http.Request) {

 }

+func handleSandboxView(sandbox string, origin string, w http.ResponseWriter, r *http.Request) {
+
+	w.Header().Set("Content-Type", "text/html; charset=UTF-8")
+	w.Header().Set("Expires", "-1")
+	w.Header().Set("Cache-Control", "private, max-age=0")
+
+	sandboxTemplateName := fmt.Sprintf("%s_sandbox.html", sandbox)
+
+	// Prepare context to deliver to HTML..
+	if t := templates.Lookup(sandboxTemplateName); t != nil {
+
+		// CSP support for sandboxes.
+		var csp string
+		switch sandbox {
+		case "odfcanvas":
+			csp = fmt.Sprintf("default-src 'none'; script-src %s; img-src data: blob:; style-src 'unsafe-inline'", origin)
+		case "pdfcanvas":
+			csp = fmt.Sprintf("default-src 'none'; script-src %s 'unsafe-eval'; img-src 'self' data: blob:; style-src 'unsafe-inline'", origin)
+		default:
+			csp = "default-src 'none'"
+		}
+		w.Header().Set("Content-Security-Policy", csp)
+
+		// Prepare context to deliver to HTML..
+		context := &Context{Cfg: config, Origin: origin, Csp: true}
+		err := t.Execute(w, &context)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+		}
+
+	} else {
+		http.Error(w, "404 Unknown Sandbox", http.StatusNotFound)
+	}
+
+}
+
 func runner(runtime phoenix.Runtime) error {

 	log.SetFlags(log.LstdFlags | log.Lmicroseconds)
@ -257,10 +310,21 @@ func runner(runtime phoenix.Runtime) error {
				@@ -257,10 +310,21 @@ func runner(runtime phoenix.Runtime) error {
 	config = NewConfig(runtime, tokenProvider != nil)

 	// Load templates.
-	tt := template.New("")
-	tt.Delims("<%", "%>")
-
-	templates, err = tt.ParseGlob(path.Join(rootFolder, "html", "*.html"))
+	templates = template.New("")
+	templates.Delims("<%", "%>")
+
+	// Load html templates folder
+	err = filepath.Walk(path.Join(rootFolder, "html"), func(path string, info os.FileInfo, err error) error {
+		if err == nil {
+			if strings.HasSuffix(path, ".html") {
+				_, err = templates.ParseFiles(path)
+				if err != nil {
+					return err
+				}
+			}
+		}
+		return nil
+	})
 	if err != nil {
 		return fmt.Errorf("Failed to load templates: %s", err)
 	}
@ -356,6 +420,9 @@ func runner(runtime phoenix.Runtime) error {
				@@ -356,6 +420,9 @@ func runner(runtime phoenix.Runtime) error {
 	// Simple room handler.
 	r.HandleFunc("/{room}", httputils.MakeGzipHandler(roomHandler))

+	// Sandbox handler.
+	r.HandleFunc("/sandbox/{origin_scheme}/{origin_host}/{sandbox}.html", httputils.MakeGzipHandler(sandboxHandler))
+
 	// Add API end points.
 	api := sloth.NewAPI()
 	api.SetMux(r.PathPrefix("/api/v1/").Subrouter())
--- a/static/js/directives/odfcanvas.js
+++ b/static/js/directives/odfcanvas.js
@ -20,7 +20,7 @@
				@@ -20,7 +20,7 @@
 */

 "use strict";
-define(['require', 'underscore', 'jquery', 'text!partials/odfcanvas_sandbox.html'], function(require, _, $, sandboxTemplate) {
+define(['require', 'underscore', 'jquery'], function(require, _, $) {

 	return ["$window", "$compile", "$http", "translation", "safeApply", "restURL", "sandbox", function($window, $compile, $http, translation, safeApply, restURL, sandbox) {

@ -32,11 +32,8 @@ define(['require', 'underscore', 'jquery', 'text!partials/odfcanvas_sandbox.html
				@@ -32,11 +32,8 @@ define(['require', 'underscore', 'jquery', 'text!partials/odfcanvas_sandbox.html

 			var container = $($element);
 			var odfCanvas;
-			var template = sandboxTemplate;
-			template = template.replace(/__PARENT_ORIGIN__/g, $window.location.protocol + "//" + $window.location.host);
-			template = template.replace(/__WEBODF_SANDBOX_JS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('sandboxes/webodf') + ".js"));
-			template = template.replace(/__WEBODF_URL__/g, restURL.createAbsoluteUrl(require.toUrl('webodf') + ".js"));
-			var sandboxApi = sandbox.createSandbox(container, template, null, "allow-scripts", null, {
+			var url = restURL.sandbox("odfcanvas");
+			var sandboxApi = sandbox.createSandbox(container, null, url, "allow-scripts", null, {
 				allowfullscreen: true,
 				mozallowfullscreen: true,
 				webkitallowfullscreen: true
--- a/static/js/directives/pdfcanvas.js
+++ b/static/js/directives/pdfcanvas.js
@ -20,7 +20,7 @@
				@@ -20,7 +20,7 @@
 */

 "use strict";
-define(['require', 'underscore', 'jquery', 'text!partials/pdfcanvas_sandbox.html'], function(require, _, $, sandboxTemplate) {
+define(['require', 'underscore', 'jquery'], function(require, _, $) {

 	return ["$window", "$compile", "$http", "translation", "safeApply", 'restURL', 'sandbox', function($window, $compile, $http, translation, safeApply, restURL, sandbox) {

@ -30,13 +30,8 @@ define(['require', 'underscore', 'jquery', 'text!partials/pdfcanvas_sandbox.html
				@@ -30,13 +30,8 @@ define(['require', 'underscore', 'jquery', 'text!partials/pdfcanvas_sandbox.html

 			var container = $($element);
 			var pdfCanvas;
-			var template = sandboxTemplate;
-			template = template.replace(/__PARENT_ORIGIN__/g, $window.location.protocol + "//" + $window.location.host);
-			template = template.replace(/__PDFJS_SANDBOX_JS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('sandboxes/pdf') + ".js"));
-			template = template.replace(/__PDFJS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('pdf') + ".js"));
-			template = template.replace(/__PDFJS_WORKER_URL__/g, restURL.createAbsoluteUrl(require.toUrl('pdf.worker') + ".js"));
-			template = template.replace(/__PDFJS_COMPATIBILITY_URL__/g, restURL.createAbsoluteUrl(require.toUrl('libs/pdf/compatibility') + ".js"));
-			var sandboxApi = sandbox.createSandbox(container, template, null, "allow-scripts", null, {
+			var url = restURL.sandbox("pdfcanvas");
+			var sandboxApi = sandbox.createSandbox(container, null, url, "allow-scripts", null, {
 				allowfullscreen: true,
 				mozallowfullscreen: true,
 				webkitallowfullscreen: true
--- a/static/js/main.js
+++ b/static/js/main.js
@ -51,10 +51,6 @@ require.config({
				@@ -51,10 +51,6 @@ require.config({
 		'humanize': 'libs/humanize',
 		'sha': 'libs/sha',
 		'sjcl': 'libs/sjcl',
-		'pdf': 'libs/pdf/pdf',
-		'pdf.worker': 'libs/pdf/pdf.worker',
-		'pdf.compatibility': 'libs/pdf/compatibility',
-		'webodf': 'libs/webodf',
 		'bootstrap-file-input': 'libs/bootstrap.file-input',
 		'webfont': 'libs/webfont',

@ -115,20 +111,6 @@ require.config({
				@@ -115,20 +111,6 @@ require.config({
 			deps: ['jquery'],
 			exports: '$'
 		},
-		'pdf': {
-			deps: ['pdf.compatibility'],
-			exports: 'PDFJS'
-		},
-		'webodf': {
-			exports: 'odf',
-			init: function() {
-				return {
-					webodf: this.webodf,
-					odf: this.odf,
-					runtime: this.runtime
-				};
-			}
-		},
 		'bootstrap-file-input': {
 			deps: ['jquery'],
 			exports: '$'
--- a/static/js/services/resturl.js
+++ b/static/js/services/resturl.js
@ -35,6 +35,9 @@ define(["underscore"], function(_) {
				@@ -35,6 +35,9 @@ define(["underscore"], function(_) {
 		RestURL.prototype.api = function(path) {
 			return (context.Cfg.B || "/") + "api/v1/" + path;
 		};
+		RestURL.prototype.sandbox = function(sandbox) {
+			return (context.Cfg.B || "/") + "sandbox/" + $window.location.protocol + "/" + $window.location.host + "/" + sandbox + ".html";
+		};
 		RestURL.prototype.encodeRoomURL = function(name, prefix, cb) {
 			// Split parts so slashes are allowed.
 			var parts = name.split("/");