mirror of
https://github.com/element-hq/element-web.git
synced 2024-12-12 03:26:56 +03:00
Sandbox app iframes
This commit is contained in:
parent
7ae4e96e4d
commit
53316a76f4
2 changed files with 12 additions and 1 deletions
|
@ -50,6 +50,8 @@ import RoomViewStore from '../../stores/RoomViewStore';
|
||||||
let DEBUG = false;
|
let DEBUG = false;
|
||||||
let debuglog = function() {};
|
let debuglog = function() {};
|
||||||
|
|
||||||
|
const BROWSER_SUPPORTS_SANDBOX = 'sandbox' in document.createElement('iframe');
|
||||||
|
|
||||||
if (DEBUG) {
|
if (DEBUG) {
|
||||||
// using bind means that we get to keep useful line numbers in the console
|
// using bind means that we get to keep useful line numbers in the console
|
||||||
debuglog = console.log.bind(console);
|
debuglog = console.log.bind(console);
|
||||||
|
@ -275,6 +277,8 @@ module.exports = React.createClass({
|
||||||
},
|
},
|
||||||
|
|
||||||
_shouldShowApps: function(room) {
|
_shouldShowApps: function(room) {
|
||||||
|
if (!BROWSER_SUPPORTS_SANDBOX) return false;
|
||||||
|
|
||||||
const appsStateEvents = room.currentState.getStateEvents('im.vector.modular.widgets');
|
const appsStateEvents = room.currentState.getStateEvents('im.vector.modular.widgets');
|
||||||
// any valid widget = show apps
|
// any valid widget = show apps
|
||||||
for (let i = 0; i < appsStateEvents.length; i++) {
|
for (let i = 0; i < appsStateEvents.length; i++) {
|
||||||
|
|
|
@ -121,7 +121,14 @@ export default React.createClass({
|
||||||
} else {
|
} else {
|
||||||
appTileBody = (
|
appTileBody = (
|
||||||
<div className="mx_AppTileBody">
|
<div className="mx_AppTileBody">
|
||||||
<iframe ref="appFrame" src={this.state.widgetUrl} allowFullScreen="true"></iframe>
|
// Note that there is advice saying allow-scripts shouldn;t be used with allow-same-origin
|
||||||
|
// because that would allow the iframe to prgramatically remove the sandbox attribute, but
|
||||||
|
// this would only be for content hosted on the same origin as the riot client: anything
|
||||||
|
// hosted on the same origin as the client will get the same access access as if you clicked
|
||||||
|
// a link to it.
|
||||||
|
<iframe ref="appFrame" src={this.state.widgetUrl} allowFullScreen="true"
|
||||||
|
sandbox="allow-forms allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts"
|
||||||
|
></iframe>
|
||||||
</div>
|
</div>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue