Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(code-uri): Chrome iframe error with XSS Auditor #15064

Merged
merged 1 commit into from
Jun 10, 2017
Merged

fix(code-uri): Chrome iframe error with XSS Auditor #15064

merged 1 commit into from
Jun 10, 2017

Conversation

raisedadead
Copy link
Member

@raisedadead raisedadead commented May 26, 2017
edited

  • remove solution from URI on read
  • disable code auto run auto run works perfectly.
  • add code locking not required as tested.
  • disable code uri updating

Closes #13727

I have tested that this is the minimum required, changes that we need to do get away with the least impact to the existing UX.

Some caveats, that are a part of this, unfortunately, is the ability to share a URL that had the code in it, but IMHO it's for good that we considered deprecating that capability anyways.

Please QA and let me know for changes.

@raisedadead raisedadead added status: waiting review To be applied to PR's that are ready for QA, especially when additional review is pending. status: blocked Is waiting on followup from either the Opening Poster of the issue or PR, or a maintainer. labels May 26, 2017
systimotic
systimotic suggested changes May 26, 2017
View reviewed changes
Copy link
Member

@systimotic systimotic left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This works upon load, which is an improvement and tells us this fix will work, which is great. However, as soon as I start typing, the URL is updated and things break. If we stop updating the URL, I believe this fix will work. Disabling auto run does not seem necessary to me, we only need to stop changing the URL.
As an aside, we should take a look at what this does to solutions in your profile once we fix this.

Great work!

client/commonFramework/code-uri.js Outdated
@@ -101,7 +101,6 @@ window.common = (function(global) {
if (!query) {
return null;
}

This comment was marked as off-topic.

Sign in to view

@BerkeleyTrue
Copy link
Contributor

@systimotic I've updated the user stories for this PR

I don't believe this will have an effect on loading user solutions, since this still loads the code initially

@raisedadead
fix(code-uri): Chrome iframe error with XSS Auditor
338ef4c 
- remove solution from URI when read
- remove querify solution upon edit or reset
@camperbot
Copy link
Contributor

@raisedadead updated the pull request.

@raisedadead raisedadead removed the status: blocked Is waiting on followup from either the Opening Poster of the issue or PR, or a maintainer. label May 27, 2017
@raisedadead
Copy link
Member Author

Just to note:

  1. I have ensured that existing URL code is parsed in, and added to the editor before being removed.
  2. Code submission and save in DB is NOT affected.

Please let me know if I might have missed any corner cases.

@systimotic
Copy link
Member

Looks like this works great! I can confirm that this resolves the original issue.

What I was worried about was loading and especially saving the user solutions, but that still works wonderfully. I originally thought it may have been doing that based on the URL, but luckily that was not the case.

@BerkeleyTrue Can you confirm, and if everything is OK, merge and deploy?

@raisedadead
Copy link
Member Author

I originally thought it may have been doing that based on the URL, but luckily that was not the case.

Yes, actually that's what took analyzing and testing so long, turns out that I wasn't aware of a ton of inner working of the code runner. Lol.

@BerkeleyTrue
Copy link
Contributor

Code LGTM.
Since both of you have tested it out I'm going to go ahead and launch this

@BerkeleyTrue BerkeleyTrue merged commit f403fea into freeCodeCamp:backup/master Jun 10, 2017
@BerkeleyTrue BerkeleyTrue removed the status: waiting review To be applied to PR's that are ready for QA, especially when additional review is pending. label Jun 10, 2017
@raisedadead raisedadead deleted the fix/chrome-unsafe-code-error branch June 10, 2017 06:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BerkeleyTrue BerkeleyTrue BerkeleyTrue approved these changes

@systimotic systimotic systimotic approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@raisedadead @BerkeleyTrue @camperbot @systimotic