mirror of
https://github.com/ether/etherpad-lite.git
synced 2025-01-19 14:13:34 +01:00
ace.js: Don't use srcdoc when creating iframes (see #4975)
Using srcdoc, especially with multiple nested iframes, seems to be problematic when using `self` in CSP policies.
This commit is contained in:
parent
9fda5adcef
commit
e61888dfe2
2 changed files with 5 additions and 2 deletions
1
src/static/empty.html
Normal file
1
src/static/empty.html
Normal file
|
@ -0,0 +1 @@
|
|||
<!DOCTYPE html><html><head><title>Empty</title></head><body></body></html>
|
|
@ -197,7 +197,9 @@ const Ace2Editor = function () {
|
|||
// - Chrome never fires any events on the frame or document. Eventually the document's
|
||||
// readyState becomes 'complete' even though it never fires a readystatechange event.
|
||||
// - Safari behaves like Chrome.
|
||||
outerFrame.srcdoc = '<!DOCTYPE html>';
|
||||
// srcdoc is avoided because Firefox's Content Security Policy engine does not properly handle
|
||||
// 'self' with nested srcdoc iframes: https://bugzilla.mozilla.org/show_bug.cgi?id=1721296
|
||||
outerFrame.src = '../static/empty.html';
|
||||
info.frame = outerFrame;
|
||||
document.getElementById(containerId).appendChild(outerFrame);
|
||||
const outerWindow = outerFrame.contentWindow;
|
||||
|
@ -240,7 +242,7 @@ const Ace2Editor = function () {
|
|||
innerFrame.allowTransparency = true; // for IE
|
||||
// The iframe MUST have a src or srcdoc property to avoid browser quirks. See the comment above
|
||||
// outerFrame.srcdoc.
|
||||
innerFrame.srcdoc = '<!DOCTYPE html>';
|
||||
innerFrame.src = 'empty.html';
|
||||
outerDocument.body.insertBefore(innerFrame, outerDocument.body.firstChild);
|
||||
const innerWindow = innerFrame.contentWindow;
|
||||
|
||||
|
|
Loading…
Reference in a new issue