Merge branch 'release-0.24'

Makefile.am

@@ -124,6 +124,7 @@ install:
 	@echo "Installing static resources to: $(SHARE)"
 	$(INSTALL) -d $(BIN)
 	$(INSTALL) -d $(SHARE)/www/html
+	$(INSTALL) -d $(SHARE)/www/html/sandboxes
 	$(INSTALL) -d $(SHARE)/www/static
 	$(INSTALL) -d $(SHARE)/www/static/img
 	$(INSTALL) -d $(SHARE)/www/static/sounds
@@ -133,7 +134,8 @@ install:
 	$(INSTALL) -d $(SHARE)/www/static/js/libs/pdf
 	$(INSTALL) -d $(SHARE)/www/static/js/sandboxes
 	$(INSTALL) bin/$(EXENAME) $(BIN)
-	$(INSTALL) html/* $(SHARE)/www/html
+	$(INSTALL) html/*.html $(SHARE)/www/html
+	$(INSTALL) html/sandboxes/*.html $(SHARE)/www/html/sandboxes
 	$(INSTALL) static/img/* $(SHARE)/www/static/img
 	$(INSTALL) static/sounds/* $(SHARE)/www/static/sounds
 	$(INSTALL) static/fonts/* $(SHARE)/www/static/fonts

build/build.js

@@ -50,10 +50,7 @@
 			]
 		},
 		{
-			name: 'base',
-			include: [
-				'pdf.compatibility'
-			]
+			name: 'base'
 		},
 		{
 			name: 'app',
@@ -64,14 +61,21 @@
 			inlineText: true,
 		},
 		{
-			name: 'pdf',
+			name: 'libs/pdf/pdf',
 			dir: './out/libs/pdf',
-			exclude: [
-				'base'
-			]
+			override: {
+				skipModuleInsertion: true
+			}
+		},
+		{
+			name: 'libs/pdf/compatibility',
+			dir: './out/libs/compatibility',
+			override: {
+				skipModuleInsertion: true
+			}
 		},
 		{
-			name: 'pdf.worker',
+			name: 'libs/pdf/pdf.worker',
 			dir: './out/libs/pdf',
 			override: {
 				skipModuleInsertion: true

debian/changelog

@@ -1,3 +1,13 @@
+spreed-webrtc-server (0.24.1) precise; urgency=low
+
+  * Load sandboxes on demand, generated by server.
+  * ODF and PDF sandboxes now use CSP from HTTP response header.
+  * No longer include obsolete sandbox stuff in base scripts.
+  * Sandbox iframes are now always created on demand.
+  * Don't return users twice in "Welcome" from global room.
+
+ -- Simon Eisenmann <simon@struktur.de>  Fri, 03 Jul 2015 11:43:56 +0200
+
 spreed-webrtc-server (0.24.0) precise; urgency=low
 
   * Added hover actions on buddy picture in group chat.

html/sandboxes/odfcanvas_sandbox.html

@@ -1,8 +1,8 @@
-<!DOCTYPE html>
+<!doctype html>
 <html>
 	<head>
 		<title>WebODF Sandbox</title>
-		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src __PARENT_ORIGIN__; img-src data:; style-src 'unsafe-inline'">
+		<base href="<%.Cfg.B%>">
 		<style type="text/css">
 		html, body {
 			height:100%;
@@ -35,6 +35,6 @@
 		<div id="container">
 			<div id="odfcanvas"></div>
 		</div>
-		<script src="__WEBODF_SANDBOX_JS_URL__" data-parent-origin="__PARENT_ORIGIN__" data-webodf-url="__WEBODF_URL__"></script>
+		<script src="<%.Cfg.S%>/js/sandboxes/webodf.js" data-parent-origin="<%.Origin%>" data-webodf-url="<%.Cfg.S%>/js/libs/webodf.js"></script>
 	</body>
 </html>

html/sandboxes/pdfcanvas_sandbox.html

@@ -1,8 +1,8 @@
-<!DOCTYPE html>
+<!doctype html>
 <html>
 	<head>
 		<title>pdf.js Sandbox</title>
-		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src __PARENT_ORIGIN__ 'unsafe-eval'; img-src 'self'; style-src 'unsafe-inline'">
+		<base href="<%.Cfg.B%>">
 		<style type="text/css">
 		html, body {
 			height:100%;
@@ -29,6 +29,6 @@
 		<div id="container">
 			<canvas id="canvas0"></canvas><canvas id="canvas1"></canvas>
 		</div>
-		<script src="__PDFJS_SANDBOX_JS_URL__" data-parent-origin="__PARENT_ORIGIN__" data-pdfjs-url="__PDFJS_URL__"  data-pdfjs-worker-url="__PDFJS_WORKER_URL__" data-pdfjs-compatibility-url="__PDFJS_COMPATIBILITY_URL__"></script>
+		<script src="<%.Cfg.S%>/js/sandboxes/pdf.js" data-parent-origin="<%.Origin%>" data-pdfjs-url="<%.Cfg.S%>/js/libs/pdf/pdf.js" data-pdfjs-worker-url="<%.Cfg.S%>/js/libs/pdf/pdf.worker.js" data-pdfjs-compatibility-url="<%.Cfg.S%>/js/libs/pdf/compatibility.js"></script>
 	</body>
 </html>

html/sandboxes/youtubevideo_sandbox.html

@@ -2,7 +2,8 @@
 <html>
 	<head>
 		<title>YouTube Player Sandbox</title>
-		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src __PARENT_ORIGIN__ https://www.youtube.com https://s.ytimg.com 'unsafe-eval'; frame-src https://www.youtube.com; style-src 'unsafe-inline'">
+		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src <%.Origin%> https://www.youtube.com https://s.ytimg.com 'unsafe-eval'; frame-src https://www.youtube.com; style-src 'unsafe-inline'">
+		<base href="<%.Cfg.B%>">
 		<style type="text/css">
 		html, body {
 			height:100%;
@@ -22,6 +23,6 @@
 	</head>
 	<body>
 		<div id="youtubeplayer"></div>
-		<script src="__YOUTUBE_SANDBOX_JS_URL__" data-parent-origin="__PARENT_ORIGIN__"></script>
+		<script src="<%.Cfg.S%>/js/sandboxes/youtube.js" data-parent-origin="<%.Origin%>"></script>
 	</body>
 </html>

src/app/spreed-webrtc-server/context.go

@@ -30,4 +30,5 @@ type Context struct {
 	Languages []string
 	Room      string `json:"-"`
 	Scheme    string `json:"-"`
+	Origin    string `json:",omitempty"`
 }

src/app/spreed-webrtc-server/main.go

@@ -36,10 +36,13 @@ import (
 	"log"
 	"net/http"
 	_ "net/http/pprof"
+	"net/url"
 	"os"
 	"path"
+	"path/filepath"
 	goruntime "runtime"
 	"strconv"
+	"strings"
 	"syscall"
 	"time"
 )
@@ -75,6 +78,20 @@ func roomHandler(w http.ResponseWriter, r *http.Request) {
 
 }
 
+func sandboxHandler(w http.ResponseWriter, r *http.Request) {
+
+	vars := mux.Vars(r)
+	// NOTE(longsleep): origin_scheme is window.location.protocol (eg. https:, http:).
+	originURL, err := url.Parse(fmt.Sprintf("%s//%s", vars["origin_scheme"], vars["origin_host"]))
+	if err != nil || originURL.Scheme == "" || originURL.Host == "" {
+		http.Error(w, "Invalid origin path", http.StatusBadRequest)
+		return
+	}
+	origin := fmt.Sprintf("%s://%s", originURL.Scheme, originURL.Host)
+	handleSandboxView(vars["sandbox"], origin, w, r)
+
+}
+
 func makeImageHandler(buddyImages ImageCache, expires time.Duration) http.HandlerFunc {
 
 	return func(w http.ResponseWriter, r *http.Request) {
@@ -158,6 +175,42 @@ func handleRoomView(room string, w http.ResponseWriter, r *http.Request) {
 
 }
 
+func handleSandboxView(sandbox string, origin string, w http.ResponseWriter, r *http.Request) {
+
+	w.Header().Set("Content-Type", "text/html; charset=UTF-8")
+	w.Header().Set("Expires", "-1")
+	w.Header().Set("Cache-Control", "private, max-age=0")
+
+	sandboxTemplateName := fmt.Sprintf("%s_sandbox.html", sandbox)
+
+	// Prepare context to deliver to HTML..
+	if t := templates.Lookup(sandboxTemplateName); t != nil {
+
+		// CSP support for sandboxes.
+		var csp string
+		switch sandbox {
+		case "odfcanvas":
+			csp = fmt.Sprintf("default-src 'none'; script-src %s; img-src data: blob:; style-src 'unsafe-inline'", origin)
+		case "pdfcanvas":
+			csp = fmt.Sprintf("default-src 'none'; script-src %s 'unsafe-eval'; img-src 'self' data: blob:; style-src 'unsafe-inline'", origin)
+		default:
+			csp = "default-src 'none'"
+		}
+		w.Header().Set("Content-Security-Policy", csp)
+
+		// Prepare context to deliver to HTML..
+		context := &Context{Cfg: config, Origin: origin, Csp: true}
+		err := t.Execute(w, &context)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+		}
+
+	} else {
+		http.Error(w, "404 Unknown Sandbox", http.StatusNotFound)
+	}
+
+}
+
 func runner(runtime phoenix.Runtime) error {
 
 	log.SetFlags(log.LstdFlags | log.Lmicroseconds)
@@ -257,10 +310,21 @@ func runner(runtime phoenix.Runtime) error {
 	config = NewConfig(runtime, tokenProvider != nil)
 
 	// Load templates.
-	tt := template.New("")
-	tt.Delims("<%", "%>")
-
-	templates, err = tt.ParseGlob(path.Join(rootFolder, "html", "*.html"))
+	templates = template.New("")
+	templates.Delims("<%", "%>")
+
+	// Load html templates folder
+	err = filepath.Walk(path.Join(rootFolder, "html"), func(path string, info os.FileInfo, err error) error {
+		if err == nil {
+			if strings.HasSuffix(path, ".html") {
+				_, err = templates.ParseFiles(path)
+				if err != nil {
+					return err
+				}
+			}
+		}
+		return nil
+	})
 	if err != nil {
 		return fmt.Errorf("Failed to load templates: %s", err)
 	}
@@ -335,7 +399,7 @@ func runner(runtime phoenix.Runtime) error {
 		runtime.DefaultHTTPSHandler(r)
 	}
 
-	// Add handlers.
+	// Prepare services.
 	buddyImages := NewImageCache()
 	codec := NewCodec(incomingCodecLimit)
 	roomManager := NewRoomManager(config, codec)
@@ -344,6 +408,8 @@ func runner(runtime phoenix.Runtime) error {
 	sessionManager := NewSessionManager(config, tickets, hub, roomManager, roomManager, buddyImages, sessionSecret)
 	statsManager := NewStatsManager(hub, roomManager, sessionManager)
 	channellingAPI := NewChannellingAPI(config, roomManager, tickets, sessionManager, statsManager, hub, hub, hub)
+
+	// Add handlers.
 	r.HandleFunc("/", httputils.MakeGzipHandler(mainHandler))
 	r.Handle("/static/img/buddy/{flags}/{imageid}/{idx:.*}", http.StripPrefix(config.B, makeImageHandler(buddyImages, time.Duration(24)*time.Hour)))
 	r.Handle("/static/{path:.*}", http.StripPrefix(config.B, httputils.FileStaticServer(http.Dir(rootFolder))))
@@ -354,6 +420,9 @@ func runner(runtime phoenix.Runtime) error {
 	// Simple room handler.
 	r.HandleFunc("/{room}", httputils.MakeGzipHandler(roomHandler))
 
+	// Sandbox handler.
+	r.HandleFunc("/sandbox/{origin_scheme}/{origin_host}/{sandbox}.html", httputils.MakeGzipHandler(sandboxHandler))
+
 	// Add API end points.
 	api := sloth.NewAPI()
 	api.SetMux(r.PathPrefix("/api/v1/").Subrouter())

src/app/spreed-webrtc-server/roomworker.go

@@ -207,10 +207,12 @@ func (r *roomWorker) GetUsers() []*DataSession {
 			}
 		}
 		r.mutex.RUnlock()
-		// Include connections to global room.
-		for _, ec := range r.manager.GlobalUsers() {
-			if !appender(ec) {
-				break
+		if r.id != r.manager.globalRoomID {
+			// Include connections to global room.
+			for _, ec := range r.manager.GlobalUsers() {
+				if !appender(ec) {
+					break
+				}
 			}
 		}
 

static/js/directives/odfcanvas.js

@@ -20,7 +20,7 @@
  */
 
 "use strict";
-define(['require', 'underscore', 'jquery', 'text!partials/odfcanvas_sandbox.html'], function(require, _, $, sandboxTemplate) {
+define(['require', 'underscore', 'jquery'], function(require, _, $) {
 
 	return ["$window", "$compile", "$http", "translation", "safeApply", "restURL", "sandbox", function($window, $compile, $http, translation, safeApply, restURL, sandbox) {
 
@@ -31,14 +31,13 @@ define(['require', 'underscore', 'jquery', 'text!partials/odfcanvas_sandbox.html
 		var controller = ['$scope', '$element', '$attrs', function($scope, $element, $attrs) {
 
 			var container = $($element);
-
 			var odfCanvas;
-
-			var template = sandboxTemplate;
-			template = template.replace(/__PARENT_ORIGIN__/g, $window.location.protocol + "//" + $window.location.host);
-			template = template.replace(/__WEBODF_SANDBOX_JS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('sandboxes/webodf') + ".js"));
-			template = template.replace(/__WEBODF_URL__/g, restURL.createAbsoluteUrl(require.toUrl('webodf') + ".js"));
-			var sandboxApi = sandbox.createSandbox($("iframe", container)[0], template);
+			var url = restURL.sandbox("odfcanvas");
+			var sandboxApi = sandbox.createSandbox(container, null, url, "allow-scripts", null, {
+				allowfullscreen: true,
+				mozallowfullscreen: true,
+				webkitallowfullscreen: true
+			});
 
 			sandboxApi.e.on("message", function(event, message) {
 				var msg = message.data;
@@ -231,7 +230,7 @@ define(['require', 'underscore', 'jquery', 'text!partials/odfcanvas_sandbox.html
 		return {
 			restrict: 'E',
 			replace: true,
-			template: '<div class="canvasContainer odfcontainer"><iframe allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true" sandbox="allow-scripts"></iframe></div>',
+			template: '<div class="canvasContainer odfcontainer"></div>',
 			controller: controller
 		};
 

static/js/directives/pdfcanvas.js

@@ -20,7 +20,7 @@
  */
 
 "use strict";
-define(['require', 'underscore', 'jquery', 'text!partials/pdfcanvas_sandbox.html'], function(require, _, $, sandboxTemplate) {
+define(['require', 'underscore', 'jquery'], function(require, _, $) {
 
 	return ["$window", "$compile", "$http", "translation", "safeApply", 'restURL', 'sandbox', function($window, $compile, $http, translation, safeApply, restURL, sandbox) {
 
@@ -29,16 +29,13 @@ define(['require', 'underscore', 'jquery', 'text!partials/pdfcanvas_sandbox.html
 		var controller = ['$scope', '$element', '$attrs', function($scope, $element, $attrs) {
 
 			var container = $($element);
-
 			var pdfCanvas;
-
-			var template = sandboxTemplate;
-			template = template.replace(/__PARENT_ORIGIN__/g, $window.location.protocol + "//" + $window.location.host);
-			template = template.replace(/__PDFJS_SANDBOX_JS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('sandboxes/pdf') + ".js"));
-			template = template.replace(/__PDFJS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('pdf') + ".js"));
-			template = template.replace(/__PDFJS_WORKER_URL__/g, restURL.createAbsoluteUrl(require.toUrl('pdf.worker') + ".js"));
-			template = template.replace(/__PDFJS_COMPATIBILITY_URL__/g, restURL.createAbsoluteUrl(require.toUrl('libs/pdf/compatibility') + ".js"));
-			var sandboxApi = sandbox.createSandbox($("iframe", container)[0], template);
+			var url = restURL.sandbox("pdfcanvas");
+			var sandboxApi = sandbox.createSandbox(container, null, url, "allow-scripts", null, {
+				allowfullscreen: true,
+				mozallowfullscreen: true,
+				webkitallowfullscreen: true
+			});
 
 			sandboxApi.e.on("message", function(event, message) {
 				var msg = message.data;
@@ -289,7 +286,7 @@ define(['require', 'underscore', 'jquery', 'text!partials/pdfcanvas_sandbox.html
 		return {
 			restrict: 'E',
 			replace: true,
-			template: '<div class="canvasContainer"><iframe allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true" sandbox="allow-scripts"></iframe></div>',
+			template: '<div class="canvasContainer"></div>',
 			controller: controller
 		};
 

static/js/directives/youtubevideo.js

@@ -20,9 +20,9 @@
  */
 
 "use strict";
-define(['require', 'jquery', 'underscore', 'moment', 'text!partials/youtubevideo.html', 'text!partials/youtubevideo_sandbox.html', 'bigscreen'], function(require, $, _, moment, template, sandboxTemplate, BigScreen) {
+define(['require', 'jquery', 'underscore', 'moment', 'text!partials/youtubevideo.html', 'bigscreen'], function(require, $, _, moment, template, BigScreen) {
 
-	return ["$window", "$document", "mediaStream", "alertify", "translation", "safeApply", "appData", "$q", "restURL", "sandbox", function($window, $document, mediaStream, alertify, translation, safeApply, appData, $q, restURL, sandbox) {
+	return ["$window", "$document", "mediaStream", "alertify", "translation", "safeApply", "appData", "$q", "restURL", "sandbox", "$http", function($window, $document, mediaStream, alertify, translation, safeApply, appData, $q, restURL, sandbox, $http) {
 
 		var YOUTUBE_IFRAME_API_URL = "//www.youtube.com/iframe_api";
 
@@ -106,19 +106,14 @@ define(['require', 'jquery', 'underscore', 'moment', 'text!partials/youtubevideo
 			var initialState = null;
 			var sandboxApi = null;
 
-			var createSandboxApi = function(force) {
+			var createSandboxApi = function(force, template) {
 				if (sandboxApi && force) {
 					sandboxApi.destroy();
 					sandboxApi = null;
 				}
 				if (!sandboxApi) {
-					var sandboxFrame = $(".youtubeplayer", $element)[0];
-
-					var template = sandboxTemplate;
-					template = template.replace(/__PARENT_ORIGIN__/g, $window.location.protocol + "//" + $window.location.host);
-					template = template.replace(/__YOUTUBE_SANDBOX_JS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('sandboxes/youtube') + ".js"));
-					sandboxApi = sandbox.createSandbox(sandboxFrame, template);
 
+					sandboxApi = sandbox.createSandbox($(".youtubeplayercontainer", $element)[0], template, null, "allow-scripts allow-same-origin", "youtubeplayer");
 					sandboxApi.e.on("message", function(event, message) {
 						var msg = message.data;
 						var data = msg[msg.type] || {};
@@ -545,12 +540,25 @@ define(['require', 'jquery', 'underscore', 'moment', 'text!partials/youtubevideo
 				}
 			};
 
-			$scope.loadYouTubeAPI = function() {
-				createSandboxApi(true);
+			$scope.loadYouTubeAPI = function(soft) {
+				var url = restURL.sandbox("youtubevideo");
+				var baseRegex = /<base href=.*>/i;
+				// NOTE(longsleep): Youtube needs to have allow-same-origin
+				// on the sandbox to function. For this reason, the sandbox
+				// frame is loaded from a blob: URL. Bottom line is that the
+				// CSP in the meta tag then does get ignored by Firefox and
+				// the global CSP is used instead. Means if a secure CSP is
+				// set, Youtube player does not work in Firefox. See
+				// https://bugzilla.mozilla.org/show_bug.cgi?id=663570 for details.
+				$http.get(url).success(function(data) {
+					var base = '<base href="'+restURL.createAbsoluteUrl("")+'">';
+					data = data.replace(baseRegex, base);
+					createSandboxApi(!soft, data);
+				});
 			};
 
 			$scope.showYouTubeVideo = function() {
-				createSandboxApi();
+				$scope.loadYouTubeAPI(true);
 				$scope.layout.youtubevideo = true;
 				$scope.$emit("mainview", "youtubevideo", true);
 				if (currentToken) {

static/js/libs/pdf/pdf.js

@@ -27,8 +27,6 @@ PDFJS.build = '997096f';
   // Use strict in our context only - users might not want it
   'use strict';
 
-/* -*- Mode: Java; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set shiftwidth=2 tabstop=2 autoindent cindent expandtab: */
 /* Copyright 2012 Mozilla Foundation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -1735,7 +1733,7 @@ PDFJS.verbosity = (PDFJS.verbosity === undefined ?
                    PDFJS.VERBOSITY_LEVELS.warnings : PDFJS.verbosity);
 
 /**
- * The maximum supported canvas size in total pixels e.g. width * height. 
+ * The maximum supported canvas size in total pixels e.g. width * height.
  * The default value is 4096 * 4096. Use -1 for no limit.
  * @var {number}
  */
@@ -2018,7 +2016,7 @@ var PDFDocumentProxy = (function PDFDocumentProxyClosure() {
  *                      rendering call the function that is the first argument
  *                      to the callback.
  */
- 
+
 /**
  * PDF page operator list.
  *
@@ -6850,7 +6848,7 @@ var SVGExtraState = (function SVGExtraStateClosure() {
     this.lineJoin = '';
     this.lineCap = '';
     this.miterLimit = 0;
-    
+
     this.dashArray = [];
     this.dashPhase = 0;
 
@@ -7077,7 +7075,7 @@ var SVGGraphics = (function SVGGraphicsClosure() {
       }
       return opListToTree(opList);
     },
-    
+
     executeOpTree: function SVGGraphics_executeOpTree(opTree) {
       var opTreeLen = opTree.length;
       for(var x = 0; x < opTreeLen; x++) {

static/js/main.js

@@ -51,10 +51,6 @@ require.config({
 		'humanize': 'libs/humanize',
 		'sha': 'libs/sha',
 		'sjcl': 'libs/sjcl',
-		'pdf': 'libs/pdf/pdf',
-		'pdf.worker': 'libs/pdf/pdf.worker',
-		'pdf.compatibility': 'libs/pdf/compatibility',
-		'webodf': 'libs/webodf',
 		'bootstrap-file-input': 'libs/bootstrap.file-input',
 		'webfont': 'libs/webfont',
 
@@ -115,20 +111,6 @@ require.config({
 			deps: ['jquery'],
 			exports: '$'
 		},
-		'pdf': {
-			deps: ['pdf.compatibility'],
-			exports: 'PDFJS'
-		},
-		'webodf': {
-			exports: 'odf',
-			init: function() {
-				return {
-					webodf: this.webodf,
-					odf: this.odf,
-					runtime: this.runtime
-				};
-			}
-		},
 		'bootstrap-file-input': {
 			deps: ['jquery'],
 			exports: '$'

static/js/services/resturl.js

@@ -35,6 +35,9 @@ define(["underscore"], function(_) {
 		RestURL.prototype.api = function(path) {
 			return (context.Cfg.B || "/") + "api/v1/" + path;
 		};
+		RestURL.prototype.sandbox = function(sandbox) {
+			return (context.Cfg.B || "/") + "sandbox/" + $window.location.protocol + "/" + $window.location.host + "/" + sandbox + ".html";
+		};
 		RestURL.prototype.encodeRoomURL = function(name, prefix, cb) {
 			// Split parts so slashes are allowed.
 			var parts = name.split("/");

static/js/services/sandbox.js

@@ -24,11 +24,54 @@ define(["jquery", "underscore"], function($, _) {
 
 	return ["$window", function($window) {
 
-		var Sandbox = function(iframe, template) {
+		var Sandbox = function(container, template, url, sandbox, className, attrs) {
+			this.container = container;
+			this.sandbox = sandbox ? sandbox : "";
+			this.className = className;
+			this.attrs = attrs;
+			if (template) {
+				var blob = new $window.Blob([template], {type: "text/html;charset=utf-8"});
+				this.url = this.blobUrl = $window.URL.createObjectURL(blob);
+			} else if (url) {
+				this.url = url;
+			}
+			if (this.url) {
+				this.create();
+			}
+		};
+
+		Sandbox.prototype.create = function() {
+			if (!this.url) {
+				return;
+			}
+			var iframe;
+			var $container = $(this.container);
+			if ($container.is("iframe")) {
+				// Container is iframe.
+				if (this.className) {
+					$container.addClass(this.className);
+				}
+				if (this.attrs) {
+					$container.attr(this.attrs);
+				}
+				iframe = $container[0];
+				iframe.src = this.url;
+				this.created = false;
+			} else {
+				// Create iframe.
+				iframe = $window.document.createElement("iframe");
+				iframe.sandbox = this.sandbox;
+				if (this.className) {
+					iframe.className = this.className;
+				}
+				if (this.attrs) {
+					$(iframe).attr(this.attrs);
+				}
+				iframe.src = this.url;
+				$container.append(iframe);
+				this.created = true;
+			}
 			this.iframe = iframe;
-			var blob = new $window.Blob([template], {type: "text/html;charset=utf-8"});
-			this.url = $window.URL.createObjectURL(blob);
-			this.iframe.src = this.url;
 			this.target = this.iframe.contentWindow;
 			this.e = $({});
 			this.handler = _.bind(this.onPostMessageReceived, this);
@@ -43,9 +86,15 @@ define(["jquery", "underscore"], function($, _) {
 				$window.removeEventListener("message", this.handler, false);
 				this.handler = null;
 			}
-			if (this.url) {
-				$window.URL.revokeObjectURL(this.url);
-				this.url = null;
+			if (this.blobUrl) {
+				$window.URL.revokeObjectURL(this.blobUrl);
+				this.blobUrl = null;
+			}
+			this.url = null;
+			this.container = null;
+			this.attrs = null;
+			if (this.created) {
+				$(this.iframe).remove();
 			}
 		};
 
@@ -83,8 +132,11 @@ define(["jquery", "underscore"], function($, _) {
 		};
 
 		return {
-			createSandbox: function(iframe, template) {
-				return new Sandbox(iframe, template);
+			createSandbox: function(iframe, template, sandbox, className, attrs) {
+				if (!sandbox) {
+					sandbox = "";
+				}
+				return new Sandbox(iframe, template, sandbox, className, attrs);
 			}
 		};
 

static/partials/youtubevideo.html

@@ -30,9 +30,7 @@
 
 			<div ng-show="playbackActive">
 				<div class="row youtubecontainer">
-					<div class="embed-responsive embed-responsive-16by9">
-						<iframe sandbox="allow-scripts allow-same-origin" class="youtubeplayer"></iframe>
-					</div>
+					<div class="embed-responsive embed-responsive-16by9 youtubeplayercontainer"></div>
 					<div class="youtubeplayerinfo">
 						<div>{{_('Currently playing')}}<br><a href="{{ currentVideoUrl }}" rel="external" target="_blank">{{ currentVideoUrl }}</a></div>
 					</div>