From dc7bbd9b76b1e113bec8409d4f448af7e1b05e5a Mon Sep 17 00:00:00 2001
From: Simon Eisenmann <simon@struktur.de>
Date: Tue, 30 Jun 2015 17:00:39 +0200
Subject: [PATCH 01/12] Create sandbox iframes on demand rather than always by
 template code.

---
 static/js/directives/odfcanvas.js    | 10 ++++---
 static/js/directives/pdfcanvas.js    | 10 ++++---
 static/js/directives/youtubevideo.js |  3 +-
 static/js/services/sandbox.js        | 42 ++++++++++++++++++++++++----
 static/partials/youtubevideo.html    |  4 +--
 5 files changed, 51 insertions(+), 18 deletions(-)

diff --git a/static/js/directives/odfcanvas.js b/static/js/directives/odfcanvas.js
index ba96d944..449d5e41 100644
--- a/static/js/directives/odfcanvas.js
+++ b/static/js/directives/odfcanvas.js
@@ -31,14 +31,16 @@ define(['require', 'underscore', 'jquery', 'text!partials/odfcanvas_sandbox.html
 		var controller = ['$scope', '$element', '$attrs', function($scope, $element, $attrs) {
 
 			var container = $($element);
-
 			var odfCanvas;
-
 			var template = sandboxTemplate;
 			template = template.replace(/__PARENT_ORIGIN__/g, $window.location.protocol + "//" + $window.location.host);
 			template = template.replace(/__WEBODF_SANDBOX_JS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('sandboxes/webodf') + ".js"));
 			template = template.replace(/__WEBODF_URL__/g, restURL.createAbsoluteUrl(require.toUrl('webodf') + ".js"));
-			var sandboxApi = sandbox.createSandbox($("iframe", container)[0], template);
+			var sandboxApi = sandbox.createSandbox(container, template, "allow-scripts", null, {
+				allowfullscreen: true,
+				mozallowfullscreen: true,
+				webkitallowfullscreen: true
+			});
 
 			sandboxApi.e.on("message", function(event, message) {
 				var msg = message.data;
@@ -231,7 +233,7 @@ define(['require', 'underscore', 'jquery', 'text!partials/odfcanvas_sandbox.html
 		return {
 			restrict: 'E',
 			replace: true,
-			template: '<div class="canvasContainer odfcontainer"><iframe allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true" sandbox="allow-scripts"></iframe></div>',
+			template: '<div class="canvasContainer odfcontainer"></div>',
 			controller: controller
 		};
 
diff --git a/static/js/directives/pdfcanvas.js b/static/js/directives/pdfcanvas.js
index e4327664..fd6c8e86 100644
--- a/static/js/directives/pdfcanvas.js
+++ b/static/js/directives/pdfcanvas.js
@@ -29,16 +29,18 @@ define(['require', 'underscore', 'jquery', 'text!partials/pdfcanvas_sandbox.html
 		var controller = ['$scope', '$element', '$attrs', function($scope, $element, $attrs) {
 
 			var container = $($element);
-
 			var pdfCanvas;
-
 			var template = sandboxTemplate;
 			template = template.replace(/__PARENT_ORIGIN__/g, $window.location.protocol + "//" + $window.location.host);
 			template = template.replace(/__PDFJS_SANDBOX_JS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('sandboxes/pdf') + ".js"));
 			template = template.replace(/__PDFJS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('pdf') + ".js"));
 			template = template.replace(/__PDFJS_WORKER_URL__/g, restURL.createAbsoluteUrl(require.toUrl('pdf.worker') + ".js"));
 			template = template.replace(/__PDFJS_COMPATIBILITY_URL__/g, restURL.createAbsoluteUrl(require.toUrl('libs/pdf/compatibility') + ".js"));
-			var sandboxApi = sandbox.createSandbox($("iframe", container)[0], template);
+			var sandboxApi = sandbox.createSandbox(container, template, "allow-scripts", null, {
+				allowfullscreen: true,
+				mozallowfullscreen: true,
+				webkitallowfullscreen: true
+			});
 
 			sandboxApi.e.on("message", function(event, message) {
 				var msg = message.data;
@@ -289,7 +291,7 @@ define(['require', 'underscore', 'jquery', 'text!partials/pdfcanvas_sandbox.html
 		return {
 			restrict: 'E',
 			replace: true,
-			template: '<div class="canvasContainer"><iframe allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true" sandbox="allow-scripts"></iframe></div>',
+			template: '<div class="canvasContainer"></div>',
 			controller: controller
 		};
 
diff --git a/static/js/directives/youtubevideo.js b/static/js/directives/youtubevideo.js
index 98806f1a..46e85758 100644
--- a/static/js/directives/youtubevideo.js
+++ b/static/js/directives/youtubevideo.js
@@ -112,12 +112,11 @@ define(['require', 'jquery', 'underscore', 'moment', 'text!partials/youtubevideo
 					sandboxApi = null;
 				}
 				if (!sandboxApi) {
-					var sandboxFrame = $(".youtubeplayer", $element)[0];
 
 					var template = sandboxTemplate;
 					template = template.replace(/__PARENT_ORIGIN__/g, $window.location.protocol + "//" + $window.location.host);
 					template = template.replace(/__YOUTUBE_SANDBOX_JS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('sandboxes/youtube') + ".js"));
-					sandboxApi = sandbox.createSandbox(sandboxFrame, template);
+					sandboxApi = sandbox.createSandbox($(".youtubeplayercontainer", $element)[0], template, "allow-scripts allow-same-origin", "youtubeplayer");
 
 					sandboxApi.e.on("message", function(event, message) {
 						var msg = message.data;
diff --git a/static/js/services/sandbox.js b/static/js/services/sandbox.js
index f3046c93..774efffc 100644
--- a/static/js/services/sandbox.js
+++ b/static/js/services/sandbox.js
@@ -24,11 +24,37 @@ define(["jquery", "underscore"], function($, _) {
 
 	return ["$window", function($window) {
 
-		var Sandbox = function(iframe, template) {
-			this.iframe = iframe;
+		var Sandbox = function(container, template, sandbox, className, attrs) {
 			var blob = new $window.Blob([template], {type: "text/html;charset=utf-8"});
 			this.url = $window.URL.createObjectURL(blob);
-			this.iframe.src = this.url;
+			var iframe;
+			var $container = $(container);
+			if ($container.is("iframe")) {
+				// Container is iframe.
+				if (className) {
+					$container.addClass(className);
+				}
+				if (attrs) {
+					$container.attr(attrs);
+				}
+				iframe = $container[0];
+				iframe.src = this.url;
+				this.created = false;
+			} else {
+				// Create iframe.
+				iframe = $window.document.createElement("iframe");
+				iframe.sandbox = sandbox;
+				if (className) {
+					iframe.className = className;
+				}
+				if (attrs) {
+					$(iframe).attr(attrs);
+				}
+				iframe.src = this.url;
+				$container.append(iframe);
+				this.created = true;
+			}
+			this.iframe = iframe;
 			this.target = this.iframe.contentWindow;
 			this.e = $({});
 			this.handler = _.bind(this.onPostMessageReceived, this);
@@ -47,6 +73,9 @@ define(["jquery", "underscore"], function($, _) {
 				$window.URL.revokeObjectURL(this.url);
 				this.url = null;
 			}
+			if (this.created) {
+				$(this.iframe).remove();
+			}
 		};
 
 		Sandbox.prototype.onPostMessageReceived = function(event) {
@@ -83,8 +112,11 @@ define(["jquery", "underscore"], function($, _) {
 		};
 
 		return {
-			createSandbox: function(iframe, template) {
-				return new Sandbox(iframe, template);
+			createSandbox: function(iframe, template, sandbox, className, attrs) {
+				if (!sandbox) {
+					sandbox = "";
+				}
+				return new Sandbox(iframe, template, sandbox, className, attrs);
 			}
 		};
 
diff --git a/static/partials/youtubevideo.html b/static/partials/youtubevideo.html
index 0cd01e76..0542f3bb 100644
--- a/static/partials/youtubevideo.html
+++ b/static/partials/youtubevideo.html
@@ -30,9 +30,7 @@
 
 			<div ng-show="playbackActive">
 				<div class="row youtubecontainer">
-					<div class="embed-responsive embed-responsive-16by9">
-						<iframe sandbox="allow-scripts allow-same-origin" class="youtubeplayer"></iframe>
-					</div>
+					<div class="embed-responsive embed-responsive-16by9 youtubeplayercontainer"></div>
 					<div class="youtubeplayerinfo">
 						<div>{{_('Currently playing')}}<br><a href="{{ currentVideoUrl }}" rel="external" target="_blank">{{ currentVideoUrl }}</a></div>
 					</div>

From 5be1eda4eef5f07632b552e1930fdd90b62dbcd7 Mon Sep 17 00:00:00 2001
From: Joachim Bauch <mail@joachim-bauch.de>
Date: Tue, 30 Jun 2015 23:34:13 +0200
Subject: [PATCH 02/12] Don't return users twice in "Welcome" from global room.

---
 src/app/spreed-webrtc-server/roomworker.go | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/app/spreed-webrtc-server/roomworker.go b/src/app/spreed-webrtc-server/roomworker.go
index 95355309..9302638d 100644
--- a/src/app/spreed-webrtc-server/roomworker.go
+++ b/src/app/spreed-webrtc-server/roomworker.go
@@ -207,10 +207,12 @@ func (r *roomWorker) GetUsers() []*DataSession {
 			}
 		}
 		r.mutex.RUnlock()
-		// Include connections to global room.
-		for _, ec := range r.manager.GlobalUsers() {
-			if !appender(ec) {
-				break
+		if r.id != r.manager.globalRoomID {
+			// Include connections to global room.
+			for _, ec := range r.manager.GlobalUsers() {
+				if !appender(ec) {
+					break
+				}
 			}
 		}
 

From 7df88de38c1c7cb50700b8a02f782ee13856cd30 Mon Sep 17 00:00:00 2001
From: Simon Eisenmann <simon@struktur.de>
Date: Thu, 2 Jul 2015 10:37:20 +0200
Subject: [PATCH 03/12] Removed vim settings to avoid file beeing detected as
 Java by GitHub.

---
 static/js/libs/pdf/pdf.js | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/static/js/libs/pdf/pdf.js b/static/js/libs/pdf/pdf.js
index 3627683f..05fc4861 100644
--- a/static/js/libs/pdf/pdf.js
+++ b/static/js/libs/pdf/pdf.js
@@ -27,8 +27,6 @@ PDFJS.build = '997096f';
   // Use strict in our context only - users might not want it
   'use strict';
 
-/* -*- Mode: Java; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set shiftwidth=2 tabstop=2 autoindent cindent expandtab: */
 /* Copyright 2012 Mozilla Foundation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -1735,7 +1733,7 @@ PDFJS.verbosity = (PDFJS.verbosity === undefined ?
                    PDFJS.VERBOSITY_LEVELS.warnings : PDFJS.verbosity);
 
 /**
- * The maximum supported canvas size in total pixels e.g. width * height. 
+ * The maximum supported canvas size in total pixels e.g. width * height.
  * The default value is 4096 * 4096. Use -1 for no limit.
  * @var {number}
  */
@@ -2018,7 +2016,7 @@ var PDFDocumentProxy = (function PDFDocumentProxyClosure() {
  *                      rendering call the function that is the first argument
  *                      to the callback.
  */
- 
+
 /**
  * PDF page operator list.
  *
@@ -6850,7 +6848,7 @@ var SVGExtraState = (function SVGExtraStateClosure() {
     this.lineJoin = '';
     this.lineCap = '';
     this.miterLimit = 0;
-    
+
     this.dashArray = [];
     this.dashPhase = 0;
 
@@ -7077,7 +7075,7 @@ var SVGGraphics = (function SVGGraphicsClosure() {
       }
       return opListToTree(opList);
     },
-    
+
     executeOpTree: function SVGGraphics_executeOpTree(opTree) {
       var opTreeLen = opTree.length;
       for(var x = 0; x < opTreeLen; x++) {

From a523d6b783273035acd223ab742704e04c69df63 Mon Sep 17 00:00:00 2001
From: Simon Eisenmann <simon@struktur.de>
Date: Thu, 2 Jul 2015 12:19:56 +0200
Subject: [PATCH 04/12] Improved comments.

---
 src/app/spreed-webrtc-server/main.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/app/spreed-webrtc-server/main.go b/src/app/spreed-webrtc-server/main.go
index 13fd051a..d2821a05 100644
--- a/src/app/spreed-webrtc-server/main.go
+++ b/src/app/spreed-webrtc-server/main.go
@@ -335,7 +335,7 @@ func runner(runtime phoenix.Runtime) error {
 		runtime.DefaultHTTPSHandler(r)
 	}
 
-	// Add handlers.
+	// Prepare services.
 	buddyImages := NewImageCache()
 	codec := NewCodec(incomingCodecLimit)
 	roomManager := NewRoomManager(config, codec)
@@ -344,6 +344,8 @@ func runner(runtime phoenix.Runtime) error {
 	sessionManager := NewSessionManager(config, tickets, hub, roomManager, roomManager, buddyImages, sessionSecret)
 	statsManager := NewStatsManager(hub, roomManager, sessionManager)
 	channellingAPI := NewChannellingAPI(config, roomManager, tickets, sessionManager, statsManager, hub, hub, hub)
+
+	// Add handlers.
 	r.HandleFunc("/", httputils.MakeGzipHandler(mainHandler))
 	r.Handle("/static/img/buddy/{flags}/{imageid}/{idx:.*}", http.StripPrefix(config.B, makeImageHandler(buddyImages, time.Duration(24)*time.Hour)))
 	r.Handle("/static/{path:.*}", http.StripPrefix(config.B, httputils.FileStaticServer(http.Dir(rootFolder))))

From e35dd0f8a333955bec6982b5e1662aa88e647e98 Mon Sep 17 00:00:00 2001
From: Simon Eisenmann <simon@struktur.de>
Date: Thu, 2 Jul 2015 13:57:54 +0200
Subject: [PATCH 05/12] Added URL support to sandbox service.

---
 static/js/directives/odfcanvas.js    |  2 +-
 static/js/directives/pdfcanvas.js    |  2 +-
 static/js/directives/youtubevideo.js |  2 +-
 static/js/services/sandbox.js        | 52 +++++++++++++++++++---------
 4 files changed, 39 insertions(+), 19 deletions(-)

diff --git a/static/js/directives/odfcanvas.js b/static/js/directives/odfcanvas.js
index 449d5e41..9ce853cb 100644
--- a/static/js/directives/odfcanvas.js
+++ b/static/js/directives/odfcanvas.js
@@ -36,7 +36,7 @@ define(['require', 'underscore', 'jquery', 'text!partials/odfcanvas_sandbox.html
 			template = template.replace(/__PARENT_ORIGIN__/g, $window.location.protocol + "//" + $window.location.host);
 			template = template.replace(/__WEBODF_SANDBOX_JS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('sandboxes/webodf') + ".js"));
 			template = template.replace(/__WEBODF_URL__/g, restURL.createAbsoluteUrl(require.toUrl('webodf') + ".js"));
-			var sandboxApi = sandbox.createSandbox(container, template, "allow-scripts", null, {
+			var sandboxApi = sandbox.createSandbox(container, template, null, "allow-scripts", null, {
 				allowfullscreen: true,
 				mozallowfullscreen: true,
 				webkitallowfullscreen: true
diff --git a/static/js/directives/pdfcanvas.js b/static/js/directives/pdfcanvas.js
index fd6c8e86..a89f50bc 100644
--- a/static/js/directives/pdfcanvas.js
+++ b/static/js/directives/pdfcanvas.js
@@ -36,7 +36,7 @@ define(['require', 'underscore', 'jquery', 'text!partials/pdfcanvas_sandbox.html
 			template = template.replace(/__PDFJS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('pdf') + ".js"));
 			template = template.replace(/__PDFJS_WORKER_URL__/g, restURL.createAbsoluteUrl(require.toUrl('pdf.worker') + ".js"));
 			template = template.replace(/__PDFJS_COMPATIBILITY_URL__/g, restURL.createAbsoluteUrl(require.toUrl('libs/pdf/compatibility') + ".js"));
-			var sandboxApi = sandbox.createSandbox(container, template, "allow-scripts", null, {
+			var sandboxApi = sandbox.createSandbox(container, template, null, "allow-scripts", null, {
 				allowfullscreen: true,
 				mozallowfullscreen: true,
 				webkitallowfullscreen: true
diff --git a/static/js/directives/youtubevideo.js b/static/js/directives/youtubevideo.js
index 46e85758..93a484dc 100644
--- a/static/js/directives/youtubevideo.js
+++ b/static/js/directives/youtubevideo.js
@@ -116,7 +116,7 @@ define(['require', 'jquery', 'underscore', 'moment', 'text!partials/youtubevideo
 					var template = sandboxTemplate;
 					template = template.replace(/__PARENT_ORIGIN__/g, $window.location.protocol + "//" + $window.location.host);
 					template = template.replace(/__YOUTUBE_SANDBOX_JS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('sandboxes/youtube') + ".js"));
-					sandboxApi = sandbox.createSandbox($(".youtubeplayercontainer", $element)[0], template, "allow-scripts allow-same-origin", "youtubeplayer");
+					sandboxApi = sandbox.createSandbox($(".youtubeplayercontainer", $element)[0], template, null, "allow-scripts allow-same-origin", "youtubeplayer");
 
 					sandboxApi.e.on("message", function(event, message) {
 						var msg = message.data;
diff --git a/static/js/services/sandbox.js b/static/js/services/sandbox.js
index 774efffc..f351e9ad 100644
--- a/static/js/services/sandbox.js
+++ b/static/js/services/sandbox.js
@@ -24,18 +24,35 @@ define(["jquery", "underscore"], function($, _) {
 
 	return ["$window", function($window) {
 
-		var Sandbox = function(container, template, sandbox, className, attrs) {
-			var blob = new $window.Blob([template], {type: "text/html;charset=utf-8"});
-			this.url = $window.URL.createObjectURL(blob);
+		var Sandbox = function(container, template, url, sandbox, className, attrs) {
+			this.container = container;
+			this.sandbox = sandbox ? sandbox : "";
+			this.className = className;
+			this.attrs = attrs;
+			if (template) {
+				var blob = new $window.Blob([template], {type: "text/html;charset=utf-8"});
+				this.url = this.blobUrl = $window.URL.createObjectURL(blob);
+			} else if (url) {
+				this.url = url;
+			}
+			if (this.url) {
+				this.create();
+			}
+		};
+
+		Sandbox.prototype.create = function() {
+			if (!this.url) {
+				return;
+			}
 			var iframe;
-			var $container = $(container);
+			var $container = $(this.container);
 			if ($container.is("iframe")) {
 				// Container is iframe.
-				if (className) {
-					$container.addClass(className);
+				if (this.className) {
+					$container.addClass(this.className);
 				}
-				if (attrs) {
-					$container.attr(attrs);
+				if (this.attrs) {
+					$container.attr(this.attrs);
 				}
 				iframe = $container[0];
 				iframe.src = this.url;
@@ -43,12 +60,12 @@ define(["jquery", "underscore"], function($, _) {
 			} else {
 				// Create iframe.
 				iframe = $window.document.createElement("iframe");
-				iframe.sandbox = sandbox;
-				if (className) {
-					iframe.className = className;
+				iframe.sandbox = this.sandbox;
+				if (this.className) {
+					iframe.className = this.className;
 				}
-				if (attrs) {
-					$(iframe).attr(attrs);
+				if (this.attrs) {
+					$(iframe).attr(this.attrs);
 				}
 				iframe.src = this.url;
 				$container.append(iframe);
@@ -69,10 +86,13 @@ define(["jquery", "underscore"], function($, _) {
 				$window.removeEventListener("message", this.handler, false);
 				this.handler = null;
 			}
-			if (this.url) {
-				$window.URL.revokeObjectURL(this.url);
-				this.url = null;
+			if (this.blobUrl) {
+				$window.URL.revokeObjectURL(this.blobUrl);
+				this.blobUrl = null;
 			}
+			this.url = null;
+			this.container = null;
+			this.attrs = null;
 			if (this.created) {
 				$(this.iframe).remove();
 			}

From b3d03b819c4b69f19cb740584895b473c8398b50 Mon Sep 17 00:00:00 2001
From: Simon Eisenmann <simon@struktur.de>
Date: Thu, 2 Jul 2015 17:54:45 +0200
Subject: [PATCH 06/12] Serve odf and pdf sandbox from the server to prepare
 CSP http header for Firefox compatibility as Firefox does not support CSP in
 meta tag (see https://bugzilla.mozilla.org/show_bug.cgi?id=663570).

---
 .../sandboxes}/odfcanvas_sandbox.html         |  7 +-
 .../sandboxes}/pdfcanvas_sandbox.html         |  7 +-
 src/app/spreed-webrtc-server/context.go       |  1 +
 src/app/spreed-webrtc-server/main.go          | 64 +++++++++++++++++--
 static/js/directives/odfcanvas.js             |  9 +--
 static/js/directives/pdfcanvas.js             | 11 +---
 static/js/main.js                             | 18 ------
 static/js/services/resturl.js                 |  3 +
 8 files changed, 78 insertions(+), 42 deletions(-)
 rename {static/partials => html/sandboxes}/odfcanvas_sandbox.html (71%)
 rename {static/partials => html/sandboxes}/pdfcanvas_sandbox.html (56%)

diff --git a/static/partials/odfcanvas_sandbox.html b/html/sandboxes/odfcanvas_sandbox.html
similarity index 71%
rename from static/partials/odfcanvas_sandbox.html
rename to html/sandboxes/odfcanvas_sandbox.html
index abe06482..40ee1e35 100644
--- a/static/partials/odfcanvas_sandbox.html
+++ b/html/sandboxes/odfcanvas_sandbox.html
@@ -1,8 +1,9 @@
-<!DOCTYPE html>
+<!doctype html>
 <html>
 	<head>
 		<title>WebODF Sandbox</title>
-		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src __PARENT_ORIGIN__; img-src data:; style-src 'unsafe-inline'">
+		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src <%.Origin%>; img-src data:; style-src 'unsafe-inline'">
+		<base href="<%.Cfg.B%>">
 		<style type="text/css">
 		html, body {
 			height:100%;
@@ -35,6 +36,6 @@
 		<div id="container">
 			<div id="odfcanvas"></div>
 		</div>
-		<script src="__WEBODF_SANDBOX_JS_URL__" data-parent-origin="__PARENT_ORIGIN__" data-webodf-url="__WEBODF_URL__"></script>
+		<script src="<%.Cfg.S%>/js/sandboxes/webodf.js" data-parent-origin="<%.Origin%>" data-webodf-url="<%.Cfg.S%>/js/libs/webodf.js"></script>
 	</body>
 </html>
diff --git a/static/partials/pdfcanvas_sandbox.html b/html/sandboxes/pdfcanvas_sandbox.html
similarity index 56%
rename from static/partials/pdfcanvas_sandbox.html
rename to html/sandboxes/pdfcanvas_sandbox.html
index 2a18428a..4380c57c 100644
--- a/static/partials/pdfcanvas_sandbox.html
+++ b/html/sandboxes/pdfcanvas_sandbox.html
@@ -1,8 +1,9 @@
-<!DOCTYPE html>
+<!doctype html>
 <html>
 	<head>
 		<title>pdf.js Sandbox</title>
-		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src __PARENT_ORIGIN__ 'unsafe-eval'; img-src 'self'; style-src 'unsafe-inline'">
+		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src <%.Origin%> 'unsafe-eval'; img-src 'self'; style-src 'unsafe-inline'">
+		<base href="<%.Cfg.B%>">
 		<style type="text/css">
 		html, body {
 			height:100%;
@@ -29,6 +30,6 @@
 		<div id="container">
 			<canvas id="canvas0"></canvas><canvas id="canvas1"></canvas>
 		</div>
-		<script src="__PDFJS_SANDBOX_JS_URL__" data-parent-origin="__PARENT_ORIGIN__" data-pdfjs-url="__PDFJS_URL__"  data-pdfjs-worker-url="__PDFJS_WORKER_URL__" data-pdfjs-compatibility-url="__PDFJS_COMPATIBILITY_URL__"></script>
+		<script src="<%.Cfg.S%>/js/sandboxes/pdf.js" data-parent-origin="<%.Origin%>" data-pdfjs-url="<%.Cfg.S%>/js/libs/pdf/pdf.js" data-pdfjs-worker-url="<%.Cfg.S%>/js/libs/pdf/pdf.worker.js" data-pdfjs-compatibility-url="<%.Cfg.S%>/js/libs/pdf/compatibility.js"></script>
 	</body>
 </html>
diff --git a/src/app/spreed-webrtc-server/context.go b/src/app/spreed-webrtc-server/context.go
index fee07996..9df3b88c 100644
--- a/src/app/spreed-webrtc-server/context.go
+++ b/src/app/spreed-webrtc-server/context.go
@@ -30,4 +30,5 @@ type Context struct {
 	Languages []string
 	Room      string `json:"-"`
 	Scheme    string `json:"-"`
+	Origin    string `json:",omitempty"`
 }
diff --git a/src/app/spreed-webrtc-server/main.go b/src/app/spreed-webrtc-server/main.go
index d2821a05..07ce3220 100644
--- a/src/app/spreed-webrtc-server/main.go
+++ b/src/app/spreed-webrtc-server/main.go
@@ -36,10 +36,13 @@ import (
 	"log"
 	"net/http"
 	_ "net/http/pprof"
+	"net/url"
 	"os"
 	"path"
+	"path/filepath"
 	goruntime "runtime"
 	"strconv"
+	"strings"
 	"syscall"
 	"time"
 )
@@ -75,6 +78,20 @@ func roomHandler(w http.ResponseWriter, r *http.Request) {
 
 }
 
+func sandboxHandler(w http.ResponseWriter, r *http.Request) {
+
+	vars := mux.Vars(r)
+	// NOTE(longsleep): origin_scheme is window.location.protocol (eg. https:, http:).
+	originURL, err := url.Parse(fmt.Sprintf("%s//%s", vars["origin_scheme"], vars["origin_host"]))
+	if err != nil || originURL.Scheme == "" || originURL.Host == "" {
+		http.Error(w, "Invalid origin path", http.StatusBadRequest)
+		return
+	}
+	origin := fmt.Sprintf("%s://%s", originURL.Scheme, originURL.Host)
+	handleSandboxView(vars["sandbox"], origin, w, r)
+
+}
+
 func makeImageHandler(buddyImages ImageCache, expires time.Duration) http.HandlerFunc {
 
 	return func(w http.ResponseWriter, r *http.Request) {
@@ -158,6 +175,31 @@ func handleRoomView(room string, w http.ResponseWriter, r *http.Request) {
 
 }
 
+func handleSandboxView(sandbox string, origin string, w http.ResponseWriter, r *http.Request) {
+
+	w.Header().Set("Content-Type", "text/html; charset=UTF-8")
+	w.Header().Set("Expires", "-1")
+	w.Header().Set("Cache-Control", "private, max-age=0")
+
+	//w.Header().Set("Content-Security-Policy", config.contentSecurityPolicy)
+
+	var err error
+	sandboxTemplateName := fmt.Sprintf("%s_sandbox.html", sandbox)
+
+	// Prepare context to deliver to HTML..
+	if t := templates.Lookup(sandboxTemplateName); t != nil {
+		// Prepare context to deliver to HTML..
+		context := &Context{Cfg: config, Origin: origin}
+		err = t.Execute(w, &context)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+		}
+	} else {
+		http.Error(w, "404 Unknown Sandbox", http.StatusNotFound)
+	}
+
+}
+
 func runner(runtime phoenix.Runtime) error {
 
 	log.SetFlags(log.LstdFlags | log.Lmicroseconds)
@@ -257,10 +299,21 @@ func runner(runtime phoenix.Runtime) error {
 	config = NewConfig(runtime, tokenProvider != nil)
 
 	// Load templates.
-	tt := template.New("")
-	tt.Delims("<%", "%>")
-
-	templates, err = tt.ParseGlob(path.Join(rootFolder, "html", "*.html"))
+	templates = template.New("")
+	templates.Delims("<%", "%>")
+
+	// Load html templates folder
+	err = filepath.Walk(path.Join(rootFolder, "html"), func(path string, info os.FileInfo, err error) error {
+		if err == nil {
+			if strings.HasSuffix(path, ".html") {
+				_, err = templates.ParseFiles(path)
+				if err != nil {
+					return err
+				}
+			}
+		}
+		return nil
+	})
 	if err != nil {
 		return fmt.Errorf("Failed to load templates: %s", err)
 	}
@@ -356,6 +409,9 @@ func runner(runtime phoenix.Runtime) error {
 	// Simple room handler.
 	r.HandleFunc("/{room}", httputils.MakeGzipHandler(roomHandler))
 
+	// Sandbox handler.
+	r.HandleFunc("/sandbox/{origin_scheme}/{origin_host}/{sandbox}.html", httputils.MakeGzipHandler(sandboxHandler))
+
 	// Add API end points.
 	api := sloth.NewAPI()
 	api.SetMux(r.PathPrefix("/api/v1/").Subrouter())
diff --git a/static/js/directives/odfcanvas.js b/static/js/directives/odfcanvas.js
index 9ce853cb..e484ca18 100644
--- a/static/js/directives/odfcanvas.js
+++ b/static/js/directives/odfcanvas.js
@@ -20,7 +20,7 @@
  */
 
 "use strict";
-define(['require', 'underscore', 'jquery', 'text!partials/odfcanvas_sandbox.html'], function(require, _, $, sandboxTemplate) {
+define(['require', 'underscore', 'jquery'], function(require, _, $) {
 
 	return ["$window", "$compile", "$http", "translation", "safeApply", "restURL", "sandbox", function($window, $compile, $http, translation, safeApply, restURL, sandbox) {
 
@@ -32,11 +32,8 @@ define(['require', 'underscore', 'jquery', 'text!partials/odfcanvas_sandbox.html
 
 			var container = $($element);
 			var odfCanvas;
-			var template = sandboxTemplate;
-			template = template.replace(/__PARENT_ORIGIN__/g, $window.location.protocol + "//" + $window.location.host);
-			template = template.replace(/__WEBODF_SANDBOX_JS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('sandboxes/webodf') + ".js"));
-			template = template.replace(/__WEBODF_URL__/g, restURL.createAbsoluteUrl(require.toUrl('webodf') + ".js"));
-			var sandboxApi = sandbox.createSandbox(container, template, null, "allow-scripts", null, {
+			var url = restURL.sandbox("odfcanvas");
+			var sandboxApi = sandbox.createSandbox(container, null, url, "allow-scripts", null, {
 				allowfullscreen: true,
 				mozallowfullscreen: true,
 				webkitallowfullscreen: true
diff --git a/static/js/directives/pdfcanvas.js b/static/js/directives/pdfcanvas.js
index a89f50bc..324d2d40 100644
--- a/static/js/directives/pdfcanvas.js
+++ b/static/js/directives/pdfcanvas.js
@@ -20,7 +20,7 @@
  */
 
 "use strict";
-define(['require', 'underscore', 'jquery', 'text!partials/pdfcanvas_sandbox.html'], function(require, _, $, sandboxTemplate) {
+define(['require', 'underscore', 'jquery'], function(require, _, $) {
 
 	return ["$window", "$compile", "$http", "translation", "safeApply", 'restURL', 'sandbox', function($window, $compile, $http, translation, safeApply, restURL, sandbox) {
 
@@ -30,13 +30,8 @@ define(['require', 'underscore', 'jquery', 'text!partials/pdfcanvas_sandbox.html
 
 			var container = $($element);
 			var pdfCanvas;
-			var template = sandboxTemplate;
-			template = template.replace(/__PARENT_ORIGIN__/g, $window.location.protocol + "//" + $window.location.host);
-			template = template.replace(/__PDFJS_SANDBOX_JS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('sandboxes/pdf') + ".js"));
-			template = template.replace(/__PDFJS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('pdf') + ".js"));
-			template = template.replace(/__PDFJS_WORKER_URL__/g, restURL.createAbsoluteUrl(require.toUrl('pdf.worker') + ".js"));
-			template = template.replace(/__PDFJS_COMPATIBILITY_URL__/g, restURL.createAbsoluteUrl(require.toUrl('libs/pdf/compatibility') + ".js"));
-			var sandboxApi = sandbox.createSandbox(container, template, null, "allow-scripts", null, {
+			var url = restURL.sandbox("pdfcanvas");
+			var sandboxApi = sandbox.createSandbox(container, null, url, "allow-scripts", null, {
 				allowfullscreen: true,
 				mozallowfullscreen: true,
 				webkitallowfullscreen: true
diff --git a/static/js/main.js b/static/js/main.js
index 95695f39..10371c04 100644
--- a/static/js/main.js
+++ b/static/js/main.js
@@ -51,10 +51,6 @@ require.config({
 		'humanize': 'libs/humanize',
 		'sha': 'libs/sha',
 		'sjcl': 'libs/sjcl',
-		'pdf': 'libs/pdf/pdf',
-		'pdf.worker': 'libs/pdf/pdf.worker',
-		'pdf.compatibility': 'libs/pdf/compatibility',
-		'webodf': 'libs/webodf',
 		'bootstrap-file-input': 'libs/bootstrap.file-input',
 		'webfont': 'libs/webfont',
 
@@ -115,20 +111,6 @@ require.config({
 			deps: ['jquery'],
 			exports: '$'
 		},
-		'pdf': {
-			deps: ['pdf.compatibility'],
-			exports: 'PDFJS'
-		},
-		'webodf': {
-			exports: 'odf',
-			init: function() {
-				return {
-					webodf: this.webodf,
-					odf: this.odf,
-					runtime: this.runtime
-				};
-			}
-		},
 		'bootstrap-file-input': {
 			deps: ['jquery'],
 			exports: '$'
diff --git a/static/js/services/resturl.js b/static/js/services/resturl.js
index 3ff406ee..1719d8e3 100644
--- a/static/js/services/resturl.js
+++ b/static/js/services/resturl.js
@@ -35,6 +35,9 @@ define(["underscore"], function(_) {
 		RestURL.prototype.api = function(path) {
 			return (context.Cfg.B || "/") + "api/v1/" + path;
 		};
+		RestURL.prototype.sandbox = function(sandbox) {
+			return (context.Cfg.B || "/") + "sandbox/" + $window.location.protocol + "/" + $window.location.host + "/" + sandbox + ".html";
+		};
 		RestURL.prototype.encodeRoomURL = function(name, prefix, cb) {
 			// Split parts so slashes are allowed.
 			var parts = name.split("/");

From bfd866a11e0f3d151839f6feb4fab81a269960c5 Mon Sep 17 00:00:00 2001
From: Simon Eisenmann <simon@struktur.de>
Date: Thu, 2 Jul 2015 18:24:50 +0200
Subject: [PATCH 07/12] Make sure to build pdf js separatly.

---
 build/build.js | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/build/build.js b/build/build.js
index 1f348e09..bd2c574b 100644
--- a/build/build.js
+++ b/build/build.js
@@ -50,10 +50,7 @@
 			]
 		},
 		{
-			name: 'base',
-			include: [
-				'pdf.compatibility'
-			]
+			name: 'base'
 		},
 		{
 			name: 'app',
@@ -64,14 +61,21 @@
 			inlineText: true,
 		},
 		{
-			name: 'pdf',
+			name: 'libs/pdf/pdf',
 			dir: './out/libs/pdf',
-			exclude: [
-				'base'
-			]
+			override: {
+				skipModuleInsertion: true
+			}
+		},
+		{
+			name: 'libs/pdf/compatibility',
+			dir: './out/libs/compatibility',
+			override: {
+				skipModuleInsertion: true
+			}
 		},
 		{
-			name: 'pdf.worker',
+			name: 'libs/pdf/pdf.worker',
 			dir: './out/libs/pdf',
 			override: {
 				skipModuleInsertion: true

From 7fcc9b57a643edc1d000c7c50477f5a704a0006b Mon Sep 17 00:00:00 2001
From: Simon Eisenmann <simon@struktur.de>
Date: Thu, 2 Jul 2015 18:28:09 +0200
Subject: [PATCH 08/12] Install sandbox html files.

---
 Makefile.am | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am
index 6af530b1..e3dcb99b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -124,6 +124,7 @@ install:
 	@echo "Installing static resources to: $(SHARE)"
 	$(INSTALL) -d $(BIN)
 	$(INSTALL) -d $(SHARE)/www/html
+	$(INSTALL) -d $(SHARE)/www/html/sandboxes
 	$(INSTALL) -d $(SHARE)/www/static
 	$(INSTALL) -d $(SHARE)/www/static/img
 	$(INSTALL) -d $(SHARE)/www/static/sounds
@@ -133,7 +134,8 @@ install:
 	$(INSTALL) -d $(SHARE)/www/static/js/libs/pdf
 	$(INSTALL) -d $(SHARE)/www/static/js/sandboxes
 	$(INSTALL) bin/$(EXENAME) $(BIN)
-	$(INSTALL) html/* $(SHARE)/www/html
+	$(INSTALL) html/*.html $(SHARE)/www/html
+	$(INSTALL) html/sandboxes/*.html $(SHARE)/www/html/sandboxes
 	$(INSTALL) static/img/* $(SHARE)/www/static/img
 	$(INSTALL) static/sounds/* $(SHARE)/www/static/sounds
 	$(INSTALL) static/fonts/* $(SHARE)/www/static/fonts

From 77d7860ba15d470f684ce998249b8bf384ca788a Mon Sep 17 00:00:00 2001
From: Simon Eisenmann <simon@struktur.de>
Date: Thu, 2 Jul 2015 19:00:23 +0200
Subject: [PATCH 09/12] Moved CSP into HTTP response headers for odf and pdf
 sandbox and allowed blob: and data: img-src.

---
 html/sandboxes/odfcanvas_sandbox.html |  1 -
 html/sandboxes/pdfcanvas_sandbox.html |  1 -
 src/app/spreed-webrtc-server/main.go  | 21 ++++++++++++++++-----
 3 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/html/sandboxes/odfcanvas_sandbox.html b/html/sandboxes/odfcanvas_sandbox.html
index 40ee1e35..2fa64ba5 100644
--- a/html/sandboxes/odfcanvas_sandbox.html
+++ b/html/sandboxes/odfcanvas_sandbox.html
@@ -2,7 +2,6 @@
 <html>
 	<head>
 		<title>WebODF Sandbox</title>
-		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src <%.Origin%>; img-src data:; style-src 'unsafe-inline'">
 		<base href="<%.Cfg.B%>">
 		<style type="text/css">
 		html, body {
diff --git a/html/sandboxes/pdfcanvas_sandbox.html b/html/sandboxes/pdfcanvas_sandbox.html
index 4380c57c..73840787 100644
--- a/html/sandboxes/pdfcanvas_sandbox.html
+++ b/html/sandboxes/pdfcanvas_sandbox.html
@@ -2,7 +2,6 @@
 <html>
 	<head>
 		<title>pdf.js Sandbox</title>
-		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src <%.Origin%> 'unsafe-eval'; img-src 'self'; style-src 'unsafe-inline'">
 		<base href="<%.Cfg.B%>">
 		<style type="text/css">
 		html, body {
diff --git a/src/app/spreed-webrtc-server/main.go b/src/app/spreed-webrtc-server/main.go
index 07ce3220..ca785a64 100644
--- a/src/app/spreed-webrtc-server/main.go
+++ b/src/app/spreed-webrtc-server/main.go
@@ -181,19 +181,30 @@ func handleSandboxView(sandbox string, origin string, w http.ResponseWriter, r *
 	w.Header().Set("Expires", "-1")
 	w.Header().Set("Cache-Control", "private, max-age=0")
 
-	//w.Header().Set("Content-Security-Policy", config.contentSecurityPolicy)
-
-	var err error
 	sandboxTemplateName := fmt.Sprintf("%s_sandbox.html", sandbox)
 
 	// Prepare context to deliver to HTML..
 	if t := templates.Lookup(sandboxTemplateName); t != nil {
+
+		// CSP support for sandboxes.
+		var csp string
+		switch sandbox {
+		case "odfcanvas":
+			csp = fmt.Sprintf("default-src 'none'; script-src %s; img-src data: blob:; style-src 'unsafe-inline'", origin)
+		case "pdfcanvas":
+			csp = fmt.Sprintf("default-src 'none'; script-src %s 'unsafe-eval'; img-src 'self' data: blob:; style-src 'unsafe-inline'", origin)
+		default:
+			csp = "default-src 'none'"
+		}
+		w.Header().Set("Content-Security-Policy", csp)
+
 		// Prepare context to deliver to HTML..
-		context := &Context{Cfg: config, Origin: origin}
-		err = t.Execute(w, &context)
+		context := &Context{Cfg: config, Origin: origin, Csp: true}
+		err := t.Execute(w, &context)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 		}
+
 	} else {
 		http.Error(w, "404 Unknown Sandbox", http.StatusNotFound)
 	}

From 344c5a44846e3be0e66f9b99c2f599e74c079c31 Mon Sep 17 00:00:00 2001
From: Simon Eisenmann <simon@struktur.de>
Date: Fri, 3 Jul 2015 09:49:14 +0200
Subject: [PATCH 10/12] Add notes about youtube sandbox.

---
 static/js/directives/youtubevideo.js | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/static/js/directives/youtubevideo.js b/static/js/directives/youtubevideo.js
index 93a484dc..5e038885 100644
--- a/static/js/directives/youtubevideo.js
+++ b/static/js/directives/youtubevideo.js
@@ -116,6 +116,13 @@ define(['require', 'jquery', 'underscore', 'moment', 'text!partials/youtubevideo
 					var template = sandboxTemplate;
 					template = template.replace(/__PARENT_ORIGIN__/g, $window.location.protocol + "//" + $window.location.host);
 					template = template.replace(/__YOUTUBE_SANDBOX_JS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('sandboxes/youtube') + ".js"));
+					// NOTE(longsleep): Youtube needs to have allow-same-origin
+					// on the sandbox to function. For this reason, the sandbox
+					// frame is loaded from a blob: URL. Bottom line is that the
+					// CSP in the meta tag then does get ignored by Firefox and
+					// the global CSP is used instead. Means if a secure CSP is
+					// set, Youtube player does not work in Firefox. See
+					// https://bugzilla.mozilla.org/show_bug.cgi?id=663570 for details.
 					sandboxApi = sandbox.createSandbox($(".youtubeplayercontainer", $element)[0], template, null, "allow-scripts allow-same-origin", "youtubeplayer");
 
 					sandboxApi.e.on("message", function(event, message) {

From ff8150569be73309c61ba0a82ea142182a7c8ea0 Mon Sep 17 00:00:00 2001
From: Simon Eisenmann <simon@struktur.de>
Date: Fri, 3 Jul 2015 10:35:46 +0200
Subject: [PATCH 11/12] Load Youtube sandbox content on demand.

---
 .../sandboxes}/youtubevideo_sandbox.html      |  5 +--
 static/js/directives/youtubevideo.js          | 36 ++++++++++---------
 2 files changed, 22 insertions(+), 19 deletions(-)
 rename {static/partials => html/sandboxes}/youtubevideo_sandbox.html (60%)

diff --git a/static/partials/youtubevideo_sandbox.html b/html/sandboxes/youtubevideo_sandbox.html
similarity index 60%
rename from static/partials/youtubevideo_sandbox.html
rename to html/sandboxes/youtubevideo_sandbox.html
index a50ea83e..d5a41a32 100644
--- a/static/partials/youtubevideo_sandbox.html
+++ b/html/sandboxes/youtubevideo_sandbox.html
@@ -2,7 +2,8 @@
 <html>
 	<head>
 		<title>YouTube Player Sandbox</title>
-		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src __PARENT_ORIGIN__ https://www.youtube.com https://s.ytimg.com 'unsafe-eval'; frame-src https://www.youtube.com; style-src 'unsafe-inline'">
+		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src <%.Origin%> https://www.youtube.com https://s.ytimg.com 'unsafe-eval'; frame-src https://www.youtube.com; style-src 'unsafe-inline'">
+		<base href="<%.Cfg.B%>">
 		<style type="text/css">
 		html, body {
 			height:100%;
@@ -22,6 +23,6 @@
 	</head>
 	<body>
 		<div id="youtubeplayer"></div>
-		<script src="__YOUTUBE_SANDBOX_JS_URL__" data-parent-origin="__PARENT_ORIGIN__"></script>
+		<script src="<%.Cfg.S%>/js/sandboxes/youtube.js" data-parent-origin="<%.Origin%>"></script>
 	</body>
 </html>
diff --git a/static/js/directives/youtubevideo.js b/static/js/directives/youtubevideo.js
index 5e038885..90d79f03 100644
--- a/static/js/directives/youtubevideo.js
+++ b/static/js/directives/youtubevideo.js
@@ -20,9 +20,9 @@
  */
 
 "use strict";
-define(['require', 'jquery', 'underscore', 'moment', 'text!partials/youtubevideo.html', 'text!partials/youtubevideo_sandbox.html', 'bigscreen'], function(require, $, _, moment, template, sandboxTemplate, BigScreen) {
+define(['require', 'jquery', 'underscore', 'moment', 'text!partials/youtubevideo.html', 'bigscreen'], function(require, $, _, moment, template, BigScreen) {
 
-	return ["$window", "$document", "mediaStream", "alertify", "translation", "safeApply", "appData", "$q", "restURL", "sandbox", function($window, $document, mediaStream, alertify, translation, safeApply, appData, $q, restURL, sandbox) {
+	return ["$window", "$document", "mediaStream", "alertify", "translation", "safeApply", "appData", "$q", "restURL", "sandbox", "$http", function($window, $document, mediaStream, alertify, translation, safeApply, appData, $q, restURL, sandbox, $http) {
 
 		var YOUTUBE_IFRAME_API_URL = "//www.youtube.com/iframe_api";
 
@@ -106,25 +106,14 @@ define(['require', 'jquery', 'underscore', 'moment', 'text!partials/youtubevideo
 			var initialState = null;
 			var sandboxApi = null;
 
-			var createSandboxApi = function(force) {
+			var createSandboxApi = function(force, template) {
 				if (sandboxApi && force) {
 					sandboxApi.destroy();
 					sandboxApi = null;
 				}
 				if (!sandboxApi) {
 
-					var template = sandboxTemplate;
-					template = template.replace(/__PARENT_ORIGIN__/g, $window.location.protocol + "//" + $window.location.host);
-					template = template.replace(/__YOUTUBE_SANDBOX_JS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('sandboxes/youtube') + ".js"));
-					// NOTE(longsleep): Youtube needs to have allow-same-origin
-					// on the sandbox to function. For this reason, the sandbox
-					// frame is loaded from a blob: URL. Bottom line is that the
-					// CSP in the meta tag then does get ignored by Firefox and
-					// the global CSP is used instead. Means if a secure CSP is
-					// set, Youtube player does not work in Firefox. See
-					// https://bugzilla.mozilla.org/show_bug.cgi?id=663570 for details.
 					sandboxApi = sandbox.createSandbox($(".youtubeplayercontainer", $element)[0], template, null, "allow-scripts allow-same-origin", "youtubeplayer");
-
 					sandboxApi.e.on("message", function(event, message) {
 						var msg = message.data;
 						var data = msg[msg.type] || {};
@@ -551,12 +540,25 @@ define(['require', 'jquery', 'underscore', 'moment', 'text!partials/youtubevideo
 				}
 			};
 
-			$scope.loadYouTubeAPI = function() {
-				createSandboxApi(true);
+			$scope.loadYouTubeAPI = function(soft) {
+				var url = restURL.sandbox("youtubevideo");
+				var baseRegex = /<base href=.*>/i;
+				// NOTE(longsleep): Youtube needs to have allow-same-origin
+				// on the sandbox to function. For this reason, the sandbox
+				// frame is loaded from a blob: URL. Bottom line is that the
+				// CSP in the meta tag then does get ignored by Firefox and
+				// the global CSP is used instead. Means if a secure CSP is
+				// set, Youtube player does not work in Firefox. See
+				// https://bugzilla.mozilla.org/show_bug.cgi?id=663570 for details.
+				$http.get(url).success(function(data) {
+					var base = '<base href="'+restURL.createAbsoluteUrl("")+'">';
+					data = data.replace(baseRegex, base);
+					createSandboxApi(!soft, data);
+				});
 			};
 
 			$scope.showYouTubeVideo = function() {
-				createSandboxApi();
+				$scope.loadYouTubeAPI(true);
 				$scope.layout.youtubevideo = true;
 				$scope.$emit("mainview", "youtubevideo", true);
 				if (currentToken) {

From 6e96755cd1aa7822103fd5434dc38626c5363c41 Mon Sep 17 00:00:00 2001
From: Simon Eisenmann <simon@struktur.de>
Date: Fri, 3 Jul 2015 11:46:20 +0200
Subject: [PATCH 12/12] 0.24.1

---
 debian/changelog | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 9570eefa..12a14714 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+spreed-webrtc-server (0.24.1) precise; urgency=low
+
+  * Load sandboxes on demand, generated by server.
+  * ODF and PDF sandboxes now use CSP from HTTP response header.
+  * No longer include obsolete sandbox stuff in base scripts.
+  * Sandbox iframes are now always created on demand.
+  * Don't return users twice in "Welcome" from global room.
+
+ -- Simon Eisenmann <simon@struktur.de>  Fri, 03 Jul 2015 11:43:56 +0200
+
 spreed-webrtc-server (0.24.0) precise; urgency=low
 
   * Added hover actions on buddy picture in group chat.