Merge pull request #4592 from matrix-org/dbkr/fix_persistent_widgets_desktop_2

Re-fix OpenID requests from widgets

src/WidgetMessaging.js

@@ -41,9 +41,18 @@ if (!global.mxToWidgetMessaging) {
 const OUTBOUND_API_NAME = 'toWidget';
 
 export default class WidgetMessaging {
-    constructor(widgetId, widgetUrl, isUserWidget, target) {
+    /**
+     * @param {string} widgetId The widget's ID
+     * @param {string} wurl The raw URL of the widget as in the event (the 'wURL')
+     * @param {string} renderedUrl The url used in the widget's iframe (either similar to the wURL
+     *     or a different URL of the clients choosing if it is using its own impl).
+     * @param {bool} isUserWidget If true, the widget is a user widget, otherwise it's a room widget
+     * @param {object} target Where widget messages should be sent (eg. the iframe object)
+     */
+    constructor(widgetId, wurl, renderedUrl, isUserWidget, target) {
         this.widgetId = widgetId;
-        this.widgetUrl = widgetUrl;
+        this.wurl = wurl;
+        this.renderedUrl = renderedUrl;
         this.isUserWidget = isUserWidget;
         this.target = target;
         this.fromWidget = global.mxFromWidgetMessaging;
@@ -128,19 +137,19 @@ export default class WidgetMessaging {
     }
 
     start() {
-        this.fromWidget.addEndpoint(this.widgetId, this.widgetUrl);
+        this.fromWidget.addEndpoint(this.widgetId, this.renderedUrl);
         this.fromWidget.addListener("get_openid", this._onOpenIdRequest);
     }
 
     stop() {
-        this.fromWidget.removeEndpoint(this.widgetId, this.widgetUrl);
+        this.fromWidget.removeEndpoint(this.widgetId, this.renderedUrl);
         this.fromWidget.removeListener("get_openid", this._onOpenIdRequest);
     }
 
     async _onOpenIdRequest(ev, rawEv) {
         if (ev.widgetId !== this.widgetId) return; // not interesting
 
-        const widgetSecurityKey = WidgetUtils.getWidgetSecurityKey(this.widgetId, this.widgetUrl, this.isUserWidget);
+        const widgetSecurityKey = WidgetUtils.getWidgetSecurityKey(this.widgetId, this.wurl, this.isUserWidget);
 
         const settings = SettingsStore.getValue("widgetOpenIDPermissions");
         if (settings.deny && settings.deny.includes(widgetSecurityKey)) {
@@ -161,7 +170,7 @@ export default class WidgetMessaging {
         // Actually ask for permission to send the user's data
         Modal.createTrackedDialog("OpenID widget permissions", '',
             WidgetOpenIDPermissionsDialog, {
-                widgetUrl: this.widgetUrl,
+                widgetUrl: this.wurl,
                 widgetId: this.widgetId,
                 isUserWidget: this.isUserWidget,
 

src/components/views/elements/AppTile.js

@@ -424,13 +424,13 @@ export default class AppTile extends React.Component {
     _setupWidgetMessaging() {
         // FIXME: There's probably no reason to do this here: it should probably be done entirely
         // in ActiveWidgetStore.
-
-        // We use the app's URL over the rendered URL so that anything the widget does which could
-        // lead to requesting a "security key" will pass accordingly. The only other thing this URL
-        // is used for is to determine the origin we're talking to, and therefore we don't need the
-        // fully templated URL.
         const widgetMessaging = new WidgetMessaging(
-            this.props.app.id, this._getRenderedUrl(), this.props.userWidget, this._appFrame.current.contentWindow);
+            this.props.app.id,
+            this.props.app.url,
+            this._getRenderedUrl(),
+            this.props.userWidget,
+            this._appFrame.current.contentWindow,
+        );
         ActiveWidgetStore.setWidgetMessaging(this.props.app.id, widgetMessaging);
         widgetMessaging.getCapabilities().then((requestedCapabilities) => {
             console.log(`Widget ${this.props.app.id} requested capabilities: ` + requestedCapabilities);