Sandbox app iframes

pull/21833/head
David Baker 2017-07-12 10:21:43 +01:00
parent 7ae4e96e4d
commit 53316a76f4
2 changed files with 12 additions and 1 deletions

View File

@ -50,6 +50,8 @@ import RoomViewStore from '../../stores/RoomViewStore';
let DEBUG = false;
let debuglog = function() {};
const BROWSER_SUPPORTS_SANDBOX = 'sandbox' in document.createElement('iframe');
if (DEBUG) {
// using bind means that we get to keep useful line numbers in the console
debuglog = console.log.bind(console);
@ -275,6 +277,8 @@ module.exports = React.createClass({
},
_shouldShowApps: function(room) {
if (!BROWSER_SUPPORTS_SANDBOX) return false;
const appsStateEvents = room.currentState.getStateEvents('im.vector.modular.widgets');
// any valid widget = show apps
for (let i = 0; i < appsStateEvents.length; i++) {

View File

@ -121,7 +121,14 @@ export default React.createClass({
} else {
appTileBody = (
<div className="mx_AppTileBody">
<iframe ref="appFrame" src={this.state.widgetUrl} allowFullScreen="true"></iframe>
// Note that there is advice saying allow-scripts shouldn;t be used with allow-same-origin
// because that would allow the iframe to prgramatically remove the sandbox attribute, but
// this would only be for content hosted on the same origin as the riot client: anything
// hosted on the same origin as the client will get the same access access as if you clicked
// a link to it.
<iframe ref="appFrame" src={this.state.widgetUrl} allowFullScreen="true"
sandbox="allow-forms allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts"
></iframe>
</div>
);
}