Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent non-widgets from being embedded in iframes #8662

Merged
merged 2 commits into from
Apr 29, 2022
Merged

Prevent non-widgets from being embedded in iframes #8662

merged 2 commits into from
Apr 29, 2022

Conversation

pdurbin
Copy link
Member

@pdurbin pdurbin commented Apr 28, 2022
edited
Loading

What this PR does / why we need it:

Prevents non-widgets from being embedded in iframes.

Which issue(s) this PR closes:

Special notes for your reviewer:

Suggestions on how to test this:

I'd suggest setting up two servers that are using the same port. Probably 443 (HTTPS) would be used in production. One one server, deploy this branch. On the other server, all you need is Apache or any web server to server a static HTML file. In the static HTML file, I'd suggest coping and pasting code from the widgets tabs. Widgets should still work. You should also try including non-widget pages (e.g. the homepage) in an <iframe>. This should fail.

I didn't set up two servers. Instead I used the "logos" directory in docroot to host the static HTML file. That is, I placed the following in /usr/local/payara5/glassfish/domains/domain1/docroot/logos/42/index.html

<html>
<body>
<p>Homepage example:</p>
<iframe id="homepage"
    title="Homepage"
    width="800"
    height="480"
    src="http://localhost:8080">
</iframe>
<p>Widget example:</p>
<iframe id="widget"
    title="Widget"
    width="800"
    height="480"
    src="http://localhost:8080/dataverse/root?widget=dataverse@root">
</iframe>
</body>
</html>

Then I navigated to http://localhost:8080/logos/42/index.html in Firefox, Chrome, and Safari. I'll post screenshots of each below. In each, a widget is displayed.

Firefox.

Screen Shot 2022-04-28 at 3 26 24 PM

Chrome (you have to hover your mouse to see the message)

Screen Shot 2022-04-28 at 3 26 50 PM

Safari

Screen Shot 2022-04-28 at 3 27 22 PM

Does this PR introduce a user interface change? If mockups are available, please link/include them here:

Not really. Screenshots are above under "testing".

Is there a release notes update needed for this change?:

Probably. Included.

Additional documentation:

None.

@pdurbin
Copy link
Member Author

pdurbin commented Apr 28, 2022

p.s. I also just tried the actual widgets...

<html>
<body>
<script src="http://localhost:8080/resources/js/widgets.js?alias=root&amp;dvUrl=http://localhost:8080&amp;widget=search&amp;text=Search+my+dataverse"></script>
<br>
<script src="http://localhost:8080/resources/js/widgets.js?alias=root&amp;dvUrl=http://localhost:8080&amp;widgetScope=root&amp;widget=iframe&amp;heightPx=500"></script>
<br>
<script src="http://localhost:8080/resources/js/widgets.js?persistentId=doi:10.5072/FK2/QGT2O0&amp;dvUrl=http://localhost:8080&amp;widget=citation&amp;heightPx=150"></script>
<br>
<script src="http://localhost:8080/resources/js/widgets.js?persistentId=doi:10.5072/FK2/QGT2O0&amp;dvUrl=http://localhost:8080&amp;widget=iframe&amp;heightPx=500"></script>
<br>
...

... and they still seem to work fine on my laptop:

Screen Shot 2022-04-28 at 4 06 18 PM

@kcondon kcondon self-assigned this Apr 29, 2022
@kcondon kcondon merged commit 666ccb0 into develop Apr 29, 2022
@kcondon kcondon deleted the ds54-csp branch April 29, 2022 18:16
@pdurbin pdurbin added this to the 5.11 milestone May 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@scolapasta scolapasta scolapasta approved these changes

Assignees

@kcondon kcondon

Labels
None yet
Projects
None yet
Milestone
5.11
Development

Successfully merging this pull request may close these issues.
3 participants
@pdurbin @scolapasta @kcondon