From 98773df76e83a7786669262e553d2a72d34ead56 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Fri, 7 Feb 2020 22:07:30 +0000 Subject: [PATCH 1/7] Get rid of dependence on usercontent.riot.im --- .modernizr.json | 4 +-- docs/config.md | 7 +---- src/vector/modernizr.js | 4 +-- src/vector/usercontent/index.html | 12 ++++++++ src/vector/usercontent/index.js | 48 +++++++++++++++++++++++++++++++ webpack.config.js | 14 +++++++-- 6 files changed, 77 insertions(+), 12 deletions(-) create mode 100644 src/vector/usercontent/index.html create mode 100644 src/vector/usercontent/index.js diff --git a/.modernizr.json b/.modernizr.json index 9055ac0731..bd55bd2d06 100644 --- a/.modernizr.json +++ b/.modernizr.json @@ -7,7 +7,6 @@ "feature-detects": [ "test/css/displaytable", "test/css/flexbox", - "test/es5/specification", "test/css/objectfit", "test/storage/localstorage", "test/es6/array", @@ -18,6 +17,7 @@ "test/svg/filters", "test/css/animations", "test/css/filters", - "test/network/fetch" + "test/network/fetch", + "test/iframe/sandbox" ] } diff --git a/docs/config.md b/docs/config.md index 5a252deb1c..d11d8638cd 100644 --- a/docs/config.md +++ b/docs/config.md @@ -57,11 +57,6 @@ For a good example, see https://riot.im/develop/config.json. 1. `update_base_url` (electron app only): HTTPS URL to a web server to download updates from. This should be the path to the directory containing `macos` and `win32` (for update packages, not installer packages). -1. `cross_origin_renderer_url`: URL to a static HTML page hosting code to help display - encrypted file attachments. This MUST be hosted on a completely separate domain to - anything else since it is used to isolate the privileges of file attachments to this - domain. Default: `https://usercontent.riot.im/v1.html`. This needs to contain v1.html from - https://github.com/matrix-org/usercontent/blob/master/v1.html 1. `piwik`: Analytics can be disabled by setting `piwik: false` or by leaving the piwik config option out of your config file. If you want to enable analytics, set `piwik` to be an object containing the following properties: @@ -87,7 +82,7 @@ For a good example, see https://riot.im/develop/config.json. default homeserver when signing up or logging in. 1. `permalinkPrefix`: Used to change the URL that Riot generates permalinks with. By default, this is "https://matrix.to" to generate matrix.to (spec) permalinks. - Set this to your Riot instance URL if you run an unfederated server (eg: + Set this to your Riot instance URL if you run an unfederated server (eg: "https://riot.example.org"). Note that `index.html` also has an og:image meta tag that is set to an image diff --git a/src/vector/modernizr.js b/src/vector/modernizr.js index 61fc8dfc4f..ca3f6868e0 100644 --- a/src/vector/modernizr.js +++ b/src/vector/modernizr.js @@ -1,3 +1,3 @@ /*! modernizr 3.8.0 (Custom Build) | MIT * - * https://modernizr.com/download/?-cssanimations-cssfilters-displaytable-es5-es6array-es6collections-fetch-flexbox-localstorage-objectfit-promises-svg-svgasimg-svgfilters-setclasses-cssclassprefix:modernizr_ !*/ -!function(window,document,undefined){function is(e,r){return typeof e===r}function testRunner(){var e,r,t,n,o,i,s;for(var d in tests)if(tests.hasOwnProperty(d)){if(e=[],r=tests[d],r.name&&(e.push(r.name.toLowerCase()),r.options&&r.options.aliases&&r.options.aliases.length))for(t=0;t0&&(r+=" "+t+e.join(" "+t)),isSVG?docElement.className.baseVal=r:docElement.className=r)}function createElement(){return"function"!=typeof document.createElement?document.createElement(arguments[0]):isSVG?document.createElementNS.call(document,"http://www.w3.org/2000/svg",arguments[0]):document.createElement.apply(document,arguments)}function getBody(){var e=document.body;return e||(e=createElement(isSVG?"svg":"body"),e.fake=!0),e}function injectElementWithStyles(e,r,t,n){var o,i,s,d,a="modernizr",l=createElement("div"),c=getBody();if(parseInt(t,10))for(;t--;)s=createElement("div"),s.id=n?n[t]:a+(t+1),l.appendChild(s);return o=createElement("style"),o.type="text/css",o.id="s"+a,(c.fake?c:l).appendChild(o),c.appendChild(l),o.styleSheet?o.styleSheet.cssText=e:o.appendChild(document.createTextNode(e)),l.id=a,c.fake&&(c.style.background="",c.style.overflow="hidden",d=docElement.style.overflow,docElement.style.overflow="hidden",docElement.appendChild(c)),i=r(l,e),c.fake?(c.parentNode.removeChild(c),docElement.style.overflow=d,docElement.offsetHeight):l.parentNode.removeChild(l),!!i}function contains(e,r){return!!~(""+e).indexOf(r)}function domToCSS(e){return e.replace(/([A-Z])/g,function(e,r){return"-"+r.toLowerCase()}).replace(/^ms-/,"-ms-")}function computedStyle(e,r,t){var n;if("getComputedStyle"in window){n=getComputedStyle.call(window,e,r);var o=window.console;if(null!==n)t&&(n=n.getPropertyValue(t));else if(o){var i=o.error?"error":"log";o[i].call(o,"getComputedStyle returning null, its possible modernizr test results are inaccurate")}}else n=!r&&e.currentStyle&&e.currentStyle[t];return n}function nativeTestProps(e,r){var t=e.length;if("CSS"in window&&"supports"in window.CSS){for(;t--;)if(window.CSS.supports(domToCSS(e[t]),r))return!0;return!1}if("CSSSupportsRule"in window){for(var n=[];t--;)n.push("("+domToCSS(e[t])+":"+r+")");return n=n.join(" or "),injectElementWithStyles("@supports ("+n+") { #modernizr { position: absolute; } }",function(e){return"absolute"===computedStyle(e,null,"position")})}return undefined}function cssToDOM(e){return e.replace(/([a-z])-([a-z])/g,function(e,r,t){return r+t.toUpperCase()}).replace(/^-/,"")}function testProps(e,r,t,n){function o(){s&&(delete mStyle.style,delete mStyle.modElem)}if(n=!is(n,"undefined")&&n,!is(t,"undefined")){var i=nativeTestProps(e,t);if(!is(i,"undefined"))return i}for(var s,d,a,l,c,u=["modernizr","tspan","samp"];!mStyle.style&&u.length;)s=!0,mStyle.modElem=createElement(u.shift()),mStyle.style=mStyle.modElem.style;for(a=e.length,d=0;d9)}),Modernizr.addTest("fetch","fetch"in window),testRunner(),setClasses(classes),delete ModernizrProto.addTest,delete ModernizrProto.addAsyncTest;for(var i=0;i0&&(t+=" "+n+e.join(" "+n)),x?w.className.baseVal=t:w.className=t)}function i(){return"function"!=typeof t.createElement?t.createElement(arguments[0]):x?t.createElementNS.call(t,"http://www.w3.org/2000/svg",arguments[0]):t.createElement.apply(t,arguments)}function s(){var e=t.body;return e||(e=i(x?"svg":"body"),e.fake=!0),e}function a(e,n,r,o){var a,l,f,u,d="modernizr",c=i("div"),p=s();if(parseInt(r,10))for(;r--;)f=i("div"),f.id=o?o[r]:d+(r+1),c.appendChild(f);return a=i("style"),a.type="text/css",a.id="s"+d,(p.fake?p:c).appendChild(a),p.appendChild(c),a.styleSheet?a.styleSheet.cssText=e:a.appendChild(t.createTextNode(e)),c.id=d,p.fake&&(p.style.background="",p.style.overflow="hidden",u=w.style.overflow,w.style.overflow="hidden",w.appendChild(p)),l=n(c,e),p.fake?(p.parentNode.removeChild(p),w.style.overflow=u,w.offsetHeight):c.parentNode.removeChild(c),!!l}function l(e,t){return!!~(""+e).indexOf(t)}function f(e){return e.replace(/([A-Z])/g,function(e,t){return"-"+t.toLowerCase()}).replace(/^ms-/,"-ms-")}function u(t,n,r){var o;if("getComputedStyle"in e){o=getComputedStyle.call(e,t,n);var i=e.console;if(null!==o)r&&(o=o.getPropertyValue(r));else if(i){var s=i.error?"error":"log";i[s].call(i,"getComputedStyle returning null, its possible modernizr test results are inaccurate")}}else o=!n&&t.currentStyle&&t.currentStyle[r];return o}function d(t,r){var o=t.length;if("CSS"in e&&"supports"in e.CSS){for(;o--;)if(e.CSS.supports(f(t[o]),r))return!0;return!1}if("CSSSupportsRule"in e){for(var i=[];o--;)i.push("("+f(t[o])+":"+r+")");return i=i.join(" or "),a("@supports ("+i+") { #modernizr { position: absolute; } }",function(e){return"absolute"===u(e,null,"position")})}return n}function c(e){return e.replace(/([a-z])-([a-z])/g,function(e,t,n){return t+n.toUpperCase()}).replace(/^-/,"")}function p(e,t,o,s){function a(){u&&(delete E.style,delete E.modElem)}if(s=!r(s,"undefined")&&s,!r(o,"undefined")){var f=d(e,o);if(!r(f,"undefined"))return f}for(var u,p,m,y,v,h=["modernizr","tspan","samp"];!E.style&&h.length;)u=!0,E.modElem=i(h.shift()),E.style=E.modElem.style;for(m=e.length,p=0;p9)}),Modernizr.addTest("fetch","fetch"in e),Modernizr.addTest("sandbox","sandbox"in i("iframe")),function(){var e,t,n,o,i,s,a;for(var l in S)if(S.hasOwnProperty(l)){if(e=[],t=S[l],t.name&&(e.push(t.name.toLowerCase()),t.options&&t.options.aliases&&t.options.aliases.length))for(n=0;n + + + + + diff --git a/src/vector/usercontent/index.js b/src/vector/usercontent/index.js new file mode 100644 index 0000000000..9c1901f50d --- /dev/null +++ b/src/vector/usercontent/index.js @@ -0,0 +1,48 @@ +var params = window.location.search.substring(1).split('&'); +var lockOrigin; +for (var i = 0; i < params.length; ++i) { + var parts = params[i].split('='); + if (parts[0] === 'origin') lockOrigin = decodeURIComponent(parts[1]); +} + +function remoteRender(event) { + const data = event.data; + + const img = document.createElement("img"); + img.id = "img"; + img.src = data.imgSrc; + + const a = document.createElement("a"); + a.id = "a"; + a.rel = data.rel; + a.target = data.target; + a.download = data.download; + a.style = data.style; + a.style.fontFamily = "Arial, Helvetica, Sans-Serif"; + a.href = window.URL.createObjectURL(data.blob); + a.appendChild(img); + a.appendChild(document.createTextNode(data.textContent)); + + const body = document.body; + // Don't display scrollbars if the link takes more than one line to display. + body.style = "margin: 0px; overflow: hidden"; + body.appendChild(a); +} + +function remoteSetTint(event) { + const data = event.data; + + const img = document.getElementById("img"); + img.src = data.imgSrc; + img.style = data.imgStyle; + + const a = document.getElementById("a"); + a.style = data.style; +} + +window.onmessage = function(e) { + if (lockOrigin === undefined || e.origin === lockOrigin) { + if (e.data.blob) remoteRender(e); + else remoteSetTint(e); + } +}; diff --git a/webpack.config.js b/webpack.config.js index b594b129ab..d0b7f0e390 100644 --- a/webpack.config.js +++ b/webpack.config.js @@ -18,7 +18,7 @@ module.exports = (env, argv) => { if (argv.mode !== "production") { // This makes the sourcemaps human readable for developers. We use eval-source-map // because the plain source-map devtool ruins the alignment. - development['devtool'] = 'eval-source-map'; + development['devtool'] = 'source-map'; } // Resolve the directories for the react-sdk and js-sdk for later use. We resolve these early so we @@ -34,6 +34,7 @@ module.exports = (env, argv) => { "bundle": "./src/vector/index.js", "indexeddb-worker": "./src/vector/indexeddb-worker.js", "mobileguide": "./src/vector/mobile_guide/index.js", + "usercontent": "./src/vector/usercontent/index.js", // CSS themes "theme-light": "./node_modules/matrix-react-sdk/res/themes/light/css/light.scss", @@ -302,7 +303,7 @@ module.exports = (env, argv) => { // HtmlWebpackPlugin will screw up our formatting like the names // of the themes and which chunks we actually care about. inject: false, - excludeChunks: ['mobileguide'], + excludeChunks: ['mobileguide', 'usercontent'], minify: argv.mode === 'production', vars: { og_image_url: og_image_url, @@ -316,6 +317,14 @@ module.exports = (env, argv) => { minify: argv.mode === 'production', chunks: ['mobileguide'], }), + + // This is the usercontent sandbox's entry point (separate for iframing) + new HtmlWebpackPlugin({ + template: './src/vector/usercontent/index.html', + filename: 'usercontent/index.html', + minify: argv.mode === 'production', + chunks: ['usercontent'], + }), ], output: { @@ -346,6 +355,7 @@ module.exports = (env, argv) => { // tedious in Riot since that can take a while. hot: false, inline: false, + disableHostCheck: true, }, }; }; From d39d89de83c27829f6e6a14c847968f0084310d1 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Fri, 7 Feb 2020 22:08:57 +0000 Subject: [PATCH 2/7] revert modernizr change --- .modernizr.json | 1 + src/vector/modernizr.js | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.modernizr.json b/.modernizr.json index bd55bd2d06..1c68542c83 100644 --- a/.modernizr.json +++ b/.modernizr.json @@ -7,6 +7,7 @@ "feature-detects": [ "test/css/displaytable", "test/css/flexbox", + "test/es5/specification", "test/css/objectfit", "test/storage/localstorage", "test/es6/array", diff --git a/src/vector/modernizr.js b/src/vector/modernizr.js index ca3f6868e0..5470b053e7 100644 --- a/src/vector/modernizr.js +++ b/src/vector/modernizr.js @@ -1,3 +1,3 @@ /*! modernizr 3.8.0 (Custom Build) | MIT * - * https://modernizr.com/download/?-cssanimations-cssfilters-displaytable-es6array-es6collections-fetch-flexbox-localstorage-objectfit-promises-sandbox-svg-svgasimg-svgfilters-setclasses-cssclassprefix:modernizr_ !*/ -!function(e,t,n){function r(e,t){return typeof e===t}function o(e){var t=w.className,n=Modernizr._config.classPrefix||"";if(x&&(t=t.baseVal),Modernizr._config.enableJSClass){var r=new RegExp("(^|\\s)"+n+"no-js(\\s|$)");t=t.replace(r,"$1"+n+"js$2")}Modernizr._config.enableClasses&&(e.length>0&&(t+=" "+n+e.join(" "+n)),x?w.className.baseVal=t:w.className=t)}function i(){return"function"!=typeof t.createElement?t.createElement(arguments[0]):x?t.createElementNS.call(t,"http://www.w3.org/2000/svg",arguments[0]):t.createElement.apply(t,arguments)}function s(){var e=t.body;return e||(e=i(x?"svg":"body"),e.fake=!0),e}function a(e,n,r,o){var a,l,f,u,d="modernizr",c=i("div"),p=s();if(parseInt(r,10))for(;r--;)f=i("div"),f.id=o?o[r]:d+(r+1),c.appendChild(f);return a=i("style"),a.type="text/css",a.id="s"+d,(p.fake?p:c).appendChild(a),p.appendChild(c),a.styleSheet?a.styleSheet.cssText=e:a.appendChild(t.createTextNode(e)),c.id=d,p.fake&&(p.style.background="",p.style.overflow="hidden",u=w.style.overflow,w.style.overflow="hidden",w.appendChild(p)),l=n(c,e),p.fake?(p.parentNode.removeChild(p),w.style.overflow=u,w.offsetHeight):c.parentNode.removeChild(c),!!l}function l(e,t){return!!~(""+e).indexOf(t)}function f(e){return e.replace(/([A-Z])/g,function(e,t){return"-"+t.toLowerCase()}).replace(/^ms-/,"-ms-")}function u(t,n,r){var o;if("getComputedStyle"in e){o=getComputedStyle.call(e,t,n);var i=e.console;if(null!==o)r&&(o=o.getPropertyValue(r));else if(i){var s=i.error?"error":"log";i[s].call(i,"getComputedStyle returning null, its possible modernizr test results are inaccurate")}}else o=!n&&t.currentStyle&&t.currentStyle[r];return o}function d(t,r){var o=t.length;if("CSS"in e&&"supports"in e.CSS){for(;o--;)if(e.CSS.supports(f(t[o]),r))return!0;return!1}if("CSSSupportsRule"in e){for(var i=[];o--;)i.push("("+f(t[o])+":"+r+")");return i=i.join(" or "),a("@supports ("+i+") { #modernizr { position: absolute; } }",function(e){return"absolute"===u(e,null,"position")})}return n}function c(e){return e.replace(/([a-z])-([a-z])/g,function(e,t,n){return t+n.toUpperCase()}).replace(/^-/,"")}function p(e,t,o,s){function a(){u&&(delete E.style,delete E.modElem)}if(s=!r(s,"undefined")&&s,!r(o,"undefined")){var f=d(e,o);if(!r(f,"undefined"))return f}for(var u,p,m,y,v,h=["modernizr","tspan","samp"];!E.style&&h.length;)u=!0,E.modElem=i(h.shift()),E.style=E.modElem.style;for(m=e.length,p=0;p9)}),Modernizr.addTest("fetch","fetch"in e),Modernizr.addTest("sandbox","sandbox"in i("iframe")),function(){var e,t,n,o,i,s,a;for(var l in S)if(S.hasOwnProperty(l)){if(e=[],t=S[l],t.name&&(e.push(t.name.toLowerCase()),t.options&&t.options.aliases&&t.options.aliases.length))for(n=0;n0&&(r+=" "+t+e.join(" "+t)),isSVG?docElement.className.baseVal=r:docElement.className=r)}function createElement(){return"function"!=typeof document.createElement?document.createElement(arguments[0]):isSVG?document.createElementNS.call(document,"http://www.w3.org/2000/svg",arguments[0]):document.createElement.apply(document,arguments)}function getBody(){var e=document.body;return e||(e=createElement(isSVG?"svg":"body"),e.fake=!0),e}function injectElementWithStyles(e,r,t,n){var o,i,s,d,a="modernizr",l=createElement("div"),c=getBody();if(parseInt(t,10))for(;t--;)s=createElement("div"),s.id=n?n[t]:a+(t+1),l.appendChild(s);return o=createElement("style"),o.type="text/css",o.id="s"+a,(c.fake?c:l).appendChild(o),c.appendChild(l),o.styleSheet?o.styleSheet.cssText=e:o.appendChild(document.createTextNode(e)),l.id=a,c.fake&&(c.style.background="",c.style.overflow="hidden",d=docElement.style.overflow,docElement.style.overflow="hidden",docElement.appendChild(c)),i=r(l,e),c.fake?(c.parentNode.removeChild(c),docElement.style.overflow=d,docElement.offsetHeight):l.parentNode.removeChild(l),!!i}function contains(e,r){return!!~(""+e).indexOf(r)}function domToCSS(e){return e.replace(/([A-Z])/g,function(e,r){return"-"+r.toLowerCase()}).replace(/^ms-/,"-ms-")}function computedStyle(e,r,t){var n;if("getComputedStyle"in window){n=getComputedStyle.call(window,e,r);var o=window.console;if(null!==n)t&&(n=n.getPropertyValue(t));else if(o){var i=o.error?"error":"log";o[i].call(o,"getComputedStyle returning null, its possible modernizr test results are inaccurate")}}else n=!r&&e.currentStyle&&e.currentStyle[t];return n}function nativeTestProps(e,r){var t=e.length;if("CSS"in window&&"supports"in window.CSS){for(;t--;)if(window.CSS.supports(domToCSS(e[t]),r))return!0;return!1}if("CSSSupportsRule"in window){for(var n=[];t--;)n.push("("+domToCSS(e[t])+":"+r+")");return n=n.join(" or "),injectElementWithStyles("@supports ("+n+") { #modernizr { position: absolute; } }",function(e){return"absolute"===computedStyle(e,null,"position")})}return undefined}function cssToDOM(e){return e.replace(/([a-z])-([a-z])/g,function(e,r,t){return r+t.toUpperCase()}).replace(/^-/,"")}function testProps(e,r,t,n){function o(){s&&(delete mStyle.style,delete mStyle.modElem)}if(n=!is(n,"undefined")&&n,!is(t,"undefined")){var i=nativeTestProps(e,t);if(!is(i,"undefined"))return i}for(var s,d,a,l,c,u=["modernizr","tspan","samp"];!mStyle.style&&u.length;)s=!0,mStyle.modElem=createElement(u.shift()),mStyle.style=mStyle.modElem.style;for(a=e.length,d=0;d9)}),Modernizr.addTest("fetch","fetch"in window),Modernizr.addTest("sandbox","sandbox"in createElement("iframe")),testRunner(),setClasses(classes),delete ModernizrProto.addTest,delete ModernizrProto.addAsyncTest;for(var i=0;i Date: Fri, 7 Feb 2020 22:09:41 +0000 Subject: [PATCH 3/7] revert webpack changes --- webpack.config.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/webpack.config.js b/webpack.config.js index d0b7f0e390..86e6eb1def 100644 --- a/webpack.config.js +++ b/webpack.config.js @@ -18,7 +18,7 @@ module.exports = (env, argv) => { if (argv.mode !== "production") { // This makes the sourcemaps human readable for developers. We use eval-source-map // because the plain source-map devtool ruins the alignment. - development['devtool'] = 'source-map'; + development['devtool'] = 'eval-source-map'; } // Resolve the directories for the react-sdk and js-sdk for later use. We resolve these early so we @@ -355,7 +355,6 @@ module.exports = (env, argv) => { // tedious in Riot since that can take a while. hot: false, inline: false, - disableHostCheck: true, }, }; }; From b7ed7a1dd789cc19bf27ffb68e7ae3260f95cfc1 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Thu, 13 Feb 2020 16:53:45 +0000 Subject: [PATCH 4/7] Update comments and such Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- src/vector/usercontent/index.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/vector/usercontent/index.js b/src/vector/usercontent/index.js index 9c1901f50d..8e77f6860e 100644 --- a/src/vector/usercontent/index.js +++ b/src/vector/usercontent/index.js @@ -11,11 +11,12 @@ function remoteRender(event) { const img = document.createElement("img"); img.id = "img"; img.src = data.imgSrc; + img.style = data.imgStyle; const a = document.createElement("a"); a.id = "a"; - a.rel = data.rel; - a.target = data.target; + a.rel = "noopener"; + a.target = "_blank"; a.download = data.download; a.style = data.style; a.style.fontFamily = "Arial, Helvetica, Sans-Serif"; From 22d0d1029ea3f995dfffa033923a6585fb50c5a3 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Thu, 13 Feb 2020 16:55:23 +0000 Subject: [PATCH 5/7] update README Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- README.md | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/README.md b/README.md index 2ae7114687..c4f63d960a 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Riot Riot (formerly known as Vector) is a Matrix web client built using the [Matrix React SDK](https://github.com/matrix-org/matrix-react-sdk). Riot is officially supported on the web in the last 2 major versions of Chrome, Firefox, and Safari. For Riot on Desktop (electron), -only the officially published app is supported. Other browsers and packages may work, however official support is not provided. +only the officially published app is supported. Other browsers and packages may work, however official support is not provided. For accessing Riot on an Android or iOS device, check out [riot-android](https://github.com/vector-im/riot-android) and [riot-ios](https://github.com/vector-im/riot-ios) - riot-web does not support mobile devices. @@ -52,15 +52,6 @@ We have put some coarse mitigations into place to try to protect against this situation, but it's still not good practice to do it in the first place. See https://github.com/vector-im/riot-web/issues/1977 for more details. -The same applies for end-to-end encrypted content, but since this is decrypted -on the client, Riot needs a way to supply the decrypted content from a separate -origin to the one Riot is hosted on. This currently done with a 'cross origin -renderer' which is a small piece of javascript hosted on a different domain. -To avoid all Riot installs needing one of these to be set up, riot.im hosts -one on usercontent.riot.im which is used by default. -https://github.com/vector-im/riot-web/issues/6173 tracks progress on replacing -this with something better. - Building From Source ==================== From 7664eb27c4d53dfeb9fbf57813af254262a456ff Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Thu, 13 Feb 2020 16:58:28 +0000 Subject: [PATCH 6/7] Move bulk to react-sdk and reference it from riot-web land Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- src/vector/usercontent/index.html | 12 -------- src/vector/usercontent/index.js | 49 ------------------------------- webpack.config.js | 4 +-- 3 files changed, 2 insertions(+), 63 deletions(-) delete mode 100644 src/vector/usercontent/index.html delete mode 100644 src/vector/usercontent/index.js diff --git a/src/vector/usercontent/index.html b/src/vector/usercontent/index.html deleted file mode 100644 index 90a0fe7c16..0000000000 --- a/src/vector/usercontent/index.html +++ /dev/null @@ -1,12 +0,0 @@ - - - - - - diff --git a/src/vector/usercontent/index.js b/src/vector/usercontent/index.js deleted file mode 100644 index 8e77f6860e..0000000000 --- a/src/vector/usercontent/index.js +++ /dev/null @@ -1,49 +0,0 @@ -var params = window.location.search.substring(1).split('&'); -var lockOrigin; -for (var i = 0; i < params.length; ++i) { - var parts = params[i].split('='); - if (parts[0] === 'origin') lockOrigin = decodeURIComponent(parts[1]); -} - -function remoteRender(event) { - const data = event.data; - - const img = document.createElement("img"); - img.id = "img"; - img.src = data.imgSrc; - img.style = data.imgStyle; - - const a = document.createElement("a"); - a.id = "a"; - a.rel = "noopener"; - a.target = "_blank"; - a.download = data.download; - a.style = data.style; - a.style.fontFamily = "Arial, Helvetica, Sans-Serif"; - a.href = window.URL.createObjectURL(data.blob); - a.appendChild(img); - a.appendChild(document.createTextNode(data.textContent)); - - const body = document.body; - // Don't display scrollbars if the link takes more than one line to display. - body.style = "margin: 0px; overflow: hidden"; - body.appendChild(a); -} - -function remoteSetTint(event) { - const data = event.data; - - const img = document.getElementById("img"); - img.src = data.imgSrc; - img.style = data.imgStyle; - - const a = document.getElementById("a"); - a.style = data.style; -} - -window.onmessage = function(e) { - if (lockOrigin === undefined || e.origin === lockOrigin) { - if (e.data.blob) remoteRender(e); - else remoteSetTint(e); - } -}; diff --git a/webpack.config.js b/webpack.config.js index 86e6eb1def..3c7e1c94b2 100644 --- a/webpack.config.js +++ b/webpack.config.js @@ -34,7 +34,7 @@ module.exports = (env, argv) => { "bundle": "./src/vector/index.js", "indexeddb-worker": "./src/vector/indexeddb-worker.js", "mobileguide": "./src/vector/mobile_guide/index.js", - "usercontent": "./src/vector/usercontent/index.js", + "usercontent": "./node_modules/matrix-react-sdk/src/vector/usercontent/index.js", // CSS themes "theme-light": "./node_modules/matrix-react-sdk/res/themes/light/css/light.scss", @@ -320,7 +320,7 @@ module.exports = (env, argv) => { // This is the usercontent sandbox's entry point (separate for iframing) new HtmlWebpackPlugin({ - template: './src/vector/usercontent/index.html', + template: './node_modules/matrix-react-sdk/src/vector/usercontent/index.html', filename: 'usercontent/index.html', minify: argv.mode === 'production', chunks: ['usercontent'], From 56f9149e84bb81227dfed3c81ca04d6f5c5ac38f Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Thu, 13 Feb 2020 17:00:17 +0000 Subject: [PATCH 7/7] update webpack paths Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- webpack.config.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/webpack.config.js b/webpack.config.js index 3c7e1c94b2..688b39cbf3 100644 --- a/webpack.config.js +++ b/webpack.config.js @@ -34,7 +34,7 @@ module.exports = (env, argv) => { "bundle": "./src/vector/index.js", "indexeddb-worker": "./src/vector/indexeddb-worker.js", "mobileguide": "./src/vector/mobile_guide/index.js", - "usercontent": "./node_modules/matrix-react-sdk/src/vector/usercontent/index.js", + "usercontent": "./node_modules/matrix-react-sdk/src/usercontent/index.js", // CSS themes "theme-light": "./node_modules/matrix-react-sdk/res/themes/light/css/light.scss", @@ -320,7 +320,7 @@ module.exports = (env, argv) => { // This is the usercontent sandbox's entry point (separate for iframing) new HtmlWebpackPlugin({ - template: './node_modules/matrix-react-sdk/src/vector/usercontent/index.html', + template: './node_modules/matrix-react-sdk/src/usercontent/index.html', filename: 'usercontent/index.html', minify: argv.mode === 'production', chunks: ['usercontent'],