templates/sitekey_frame.tmpl - Issue 29329256: Issue 3122 - Restrict allowed URLs for the sitekey_frame

Delta Between Two Patch Sets: templates/sitekey_frame.tmpl

Issue 29329256: Issue 3122 - Restrict allowed URLs for the sitekey_frame (Closed)

Left Patch Set: Created Oct. 16, 2015, 12:25 p.m.

Right Patch Set: Gone with Manvel's suggestion Created Nov. 19, 2015, 12:54 p.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

Left: Side by side diff | Download
Right: Side by side diff | Download

LEFT	RIGHT
1 {% extends "frame.tmpl" %}	1 {% extends "frame.tmpl" %}

2	2

3 {% block body %}	3 {% block body %}

4 <script type="text/javascript">	4 <script type="text/javascript">

5 function frame_url(parent_location)	5 function frame_url(parent_location)

6 {	6 {

7 var href = parent_location.href;	7 return parent_location.origin + parent_location.hash.substring(1);

8 var hash = parent_location.hash;

9 return base_href = href.substr(
saroyanm 2015/11/16 13:53:25 The description says Restrict allowed URLs for the The description says Restrict allowed URLs for the sitekey_frame, I'm not sure what the frame_url suppose to return and why it's extracting the origin of the URL and concatenating the hash value without hash sign assigned to it ? kzar 2015/11/16 23:01:09 So the sitekey_frame page contains a big iFrame an Show quoted text On 2015/11/16 13:53:25, saroyanm wrote: > The description says Restrict allowed URLs for the sitekey_frame, I'm not sure > what the frame_url suppose to return and why it's extracting the origin of the > URL and concatenating the hash value without hash sign assigned to it ? So the sitekey_frame page contains a big iFrame and sets its source based on the hash part of the URL using JavaScript. The reason for that is that we can have a dynamically generated sitekey_frame page that has the correct sitekey headers etc that then displays a statically generated page inside. That way we can write tests for sitekey functionality in the future without further changes to the sitescripts repository. All I'm doing here is adding a bit of security, previously I set the src of the iFrame to be hash part of the URL without any restrictions. In theory someone could have typed ...#http://google.com , which would have set the source of the iframe to http://google.com. This change avoids that by prepending the current domain to it so only relative paths will work. saroyanm 2015/11/17 11:28:33 I see. What about: return parent_location.origin + Show quoted text On 2015/11/16 23:01:09, kzar wrote: > On 2015/11/16 13:53:25, saroyanm wrote: > > The description says Restrict allowed URLs for the sitekey_frame, I'm not sure > > what the frame_url suppose to return and why it's extracting the origin of the > > URL and concatenating the hash value without hash sign assigned to it ? > > So the sitekey_frame page contains a big iFrame and sets its source based on the > hash part of the URL using JavaScript. The reason for that is that we can have a > dynamically generated sitekey_frame page that has the correct sitekey headers > etc that then displays a statically generated page inside. That way we can write > tests for sitekey functionality in the future without further changes to the > sitescripts repository. > > All I'm doing here is adding a bit of security, previously I set the src of the > iFrame to be hash part of the URL without any restrictions. In theory someone > could have typed ...#http://google.com , which would have set the source of the > iframe to http://google.com. This change avoids that by prepending the current > domain to it so only relative paths will work. I see. What about: return parent_location.origin + parent_location.hash.substring(1) ? kzar 2015/11/19 12:56:00 Good point, much better. Done. Show quoted text On 2015/11/17 11:28:33, saroyanm wrote: > On 2015/11/16 23:01:09, kzar wrote: > > On 2015/11/16 13:53:25, saroyanm wrote: > > > The description says Restrict allowed URLs for the sitekey_frame, I'm not > sure > > > what the frame_url suppose to return and why it's extracting the origin of > the > > > URL and concatenating the hash value without hash sign assigned to it ? > > > > So the sitekey_frame page contains a big iFrame and sets its source based on > the > > hash part of the URL using JavaScript. The reason for that is that we can have > a > > dynamically generated sitekey_frame page that has the correct sitekey headers > > etc that then displays a statically generated page inside. That way we can > write > > tests for sitekey functionality in the future without further changes to the > > sitescripts repository. > > > > All I'm doing here is adding a bit of security, previously I set the src of > the > > iFrame to be hash part of the URL without any restrictions. In theory someone > > could have typed ...#http://google.com , which would have set the source of > the > > iframe to http://google.com. This change avoids that by prepending the current > > domain to it so only relative paths will work. > > I see. > What about: > return parent_location.origin + parent_location.hash.substring(1) ? Good point, much better. Done.
10 0, href.length - hash.length - parent_location.pathname.length

11 ) + hash.substring(1);

12 }	8 }

13 </script>	9 </script>

14 {% endblock %}	10 {% endblock %}

LEFT	RIGHT