mirror of https://github.com/vector-im/riot-web
Sandbox app iframes
parent
7ae4e96e4d
commit
53316a76f4
|
@ -50,6 +50,8 @@ import RoomViewStore from '../../stores/RoomViewStore';
|
|||
let DEBUG = false;
|
||||
let debuglog = function() {};
|
||||
|
||||
const BROWSER_SUPPORTS_SANDBOX = 'sandbox' in document.createElement('iframe');
|
||||
|
||||
if (DEBUG) {
|
||||
// using bind means that we get to keep useful line numbers in the console
|
||||
debuglog = console.log.bind(console);
|
||||
|
@ -275,6 +277,8 @@ module.exports = React.createClass({
|
|||
},
|
||||
|
||||
_shouldShowApps: function(room) {
|
||||
if (!BROWSER_SUPPORTS_SANDBOX) return false;
|
||||
|
||||
const appsStateEvents = room.currentState.getStateEvents('im.vector.modular.widgets');
|
||||
// any valid widget = show apps
|
||||
for (let i = 0; i < appsStateEvents.length; i++) {
|
||||
|
|
|
@ -121,7 +121,14 @@ export default React.createClass({
|
|||
} else {
|
||||
appTileBody = (
|
||||
<div className="mx_AppTileBody">
|
||||
<iframe ref="appFrame" src={this.state.widgetUrl} allowFullScreen="true"></iframe>
|
||||
// Note that there is advice saying allow-scripts shouldn;t be used with allow-same-origin
|
||||
// because that would allow the iframe to prgramatically remove the sandbox attribute, but
|
||||
// this would only be for content hosted on the same origin as the riot client: anything
|
||||
// hosted on the same origin as the client will get the same access access as if you clicked
|
||||
// a link to it.
|
||||
<iframe ref="appFrame" src={this.state.widgetUrl} allowFullScreen="true"
|
||||
sandbox="allow-forms allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts"
|
||||
></iframe>
|
||||
</div>
|
||||
);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue