Issue 3122 - Restrict allowed URLs for the sitekey_frame

templates/sitekey_frame.tmpl

Index: templates/sitekey_frame.tmpl
diff --git a/templates/sitekey_frame.tmpl b/templates/sitekey_frame.tmpl
index c136b2ad2086070e81ff33f6584859f3a870fa98..96d392e02519bb389616eb8e6523a878057b106b 100644
--- a/templates/sitekey_frame.tmpl
+++ b/templates/sitekey_frame.tmpl
@@ -4,7 +4,11 @@
 <script type="text/javascript">
   function frame_url(parent_location)
   {
-    return parent_location.hash.substring(1);
+    var href = parent_location.href;
+    var hash = parent_location.hash;
+    return base_href = href.substr(

[saroyanm, 2015/11/16 13:53:25]

The description says Restrict allowed URLs for the sitekey_frame, I'm not sure
what the frame_url suppose to return and why it's extracting the origin of the
URL and concatenating the hash value without hash sign assigned to it ?

[kzar, 2015/11/16 23:01:09]

So the sitekey_frame page contains a big iFrame and sets its source based on the
hash part of the URL using JavaScript. The reason for that is that we can have a
dynamically generated sitekey_frame page that has the correct sitekey headers
etc that then displays a statically generated page inside. That way we can write
tests for sitekey functionality in the future without further changes to the
sitescripts repository.

All I'm doing here is adding a bit of security, previously I set the src of the
iFrame to be hash part of the URL without any restrictions. In theory someone
could have typed ...#http://google.com , which would have set the source of the
iframe to http://google.com. This change avoids that by prepending the current
domain to it so only relative paths will work.

[saroyanm, 2015/11/17 11:28:33]

I see.
What about:
return parent_location.origin + parent_location.hash.substring(1) ?

[kzar, 2015/11/19 12:56:00]

Good point, much better. Done.

+      0, href.length - hash.length - parent_location.pathname.length
+    ) + hash.substring(1);
   }
 </script>
 {% endblock %}