From db9c6108ba51d531fb642fab2846fd85e38991df Mon Sep 17 00:00:00 2001
From: Joachim Bauch <bauch@struktur.de>
Date: Tue, 28 Apr 2015 18:52:24 +0200
Subject: [PATCH] Load sandbox iframes from "blob:" urls. Firefox doesn't
 support "data:" urls for this.

---
 server.conf.in                |  2 +-
 static/js/services/sandbox.js | 11 +++++++++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/server.conf.in b/server.conf.in
index a02df90c..07bb0698 100644
--- a/server.conf.in
+++ b/server.conf.in
@@ -109,7 +109,7 @@ serverRealm = local
 ; data: URL for images.
 ; The currently recommended CSP is:
 ;   default-src 'self';
-;   frame-src 'self' data:;
+;   frame-src 'self' blob:;
 ;   style-src 'self' 'unsafe-inline';
 ;   img-src 'self' data: blob:;
 ;   connect-src 'self' wss://server:port/ws blob:;
diff --git a/static/js/services/sandbox.js b/static/js/services/sandbox.js
index c9a17e01..f3046c93 100644
--- a/static/js/services/sandbox.js
+++ b/static/js/services/sandbox.js
@@ -26,12 +26,15 @@ define(["jquery", "underscore"], function($, _) {
 
 		var Sandbox = function(iframe, template) {
 			this.iframe = iframe;
-			this.iframe.src = "data:text/html;charset=utf-8," + $window.encodeURI(template);
+			var blob = new $window.Blob([template], {type: "text/html;charset=utf-8"});
+			this.url = $window.URL.createObjectURL(blob);
+			this.iframe.src = this.url;
 			this.target = this.iframe.contentWindow;
 			this.e = $({});
 			this.handler = _.bind(this.onPostMessageReceived, this);
 			this.ready = false;
 			this.pending_messages = [];
+			this.origin = $window.location.protocol + "//" + $window.location.host;
 			$window.addEventListener("message", this.handler, false);
 		};
 
@@ -40,10 +43,14 @@ define(["jquery", "underscore"], function($, _) {
 				$window.removeEventListener("message", this.handler, false);
 				this.handler = null;
 			}
+			if (this.url) {
+				$window.URL.revokeObjectURL(this.url);
+				this.url = null;
+			}
 		};
 
 		Sandbox.prototype.onPostMessageReceived = function(event) {
-			if (event.origin !== "null" || event.source !== this.target) {
+			if ((event.origin !== "null" && event.origin !== this.origin) || event.source !== this.target) {
 				// the sandboxed data-url iframe has "null" as origin
 				return;
 			}