New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support sandboxed iframe #8921
Comments
Regarding
For localization this could be changed. Using sandbox="allow-same-origin allow-scripts" is already an isolation improvement, but COOL does not work properly in those conditions. |
Using |
Yes - but from a security perspective I don't want to grant an application Under the assumption that the ifamed application is compromised by a vulnerability if can leave the iframe and also attack the parent application. |
I understand, and Collabora Online could support it with some efforts. Collabora Online already uses only |
An option on your end, is to host Collabora-online on a host with a different domain (or just port difference). |
Question is - where are we not using post-message? there is that frame resizing thing; @meven do we have a short list of things to fix that get this wrong ? =) |
I have a POC branch of Collabora Online with localstorage turned off, localization off and without the resize iframe that runs in Firefox (but not chrome) and firefox has presentation restriction (even with a |
The _fileDownloader iframe could also be replaced either with a "<a download" or window.downloads. |
I have tested the clipboard and it seems affected for complex pasting (but that might another issue). I have made a branch that has a few features turned off as a baseline to test COOL with https://github.com/meven/cool-online/tree/meven/iframe-sandboxed The missing features are the welcome window, l18n, presenting in window is broken and full-screen not-working. Apart from that, I haven't noticed any problems. Some compatibility changes are missing (replacing im Map.js the _fileDownloader and _resizeDetector by other means (a download, and ResizeObserver ) that can already be made in |
Getting a new server-side setting storage API implemented is really a larger task if we can't use the browser setting storage; this is a longer term task I think. |
Describe the Bug
Collabora Online cannot be used inside a sandboxed iframe because collabora tries to access the parent document.
See screenshots below for further details
Steps to Reproduce
<iframe sandbox="allow-scripts">
Expected Behavior
Shall load
Actual Behavior
Does not load
Screenshots
Desktop
Additional Context
ocis docker setup as per https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_wopi
The text was updated successfully, but these errors were encountered: