-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow webviews to be set as trusted viewers #5592
Allow webviews to be set as trusted viewers #5592
Conversation
Webviews can't set `ancestorOrigins` properly (maybe?), we can't use it to tell if we are in a trusted viewer context. Instead, fall back to our "old browser" path, which creates a `trustedViewerResolver_`. When the webview's integration script [sets the message deliverer](https://github.com/ampproject/amphtml/blob/f28e116/src/service/viewer-impl.js#L947), it [will resolve](https://github.com/ampproject/amphtml/blob/f28e116/src/service/viewer-impl.js#L961-L962) to the webview's passed origin. Fixes ampproject#5563.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add a test?
* Whether the AMP document is embedded in a webview. | ||
* @private @const {boolean} | ||
*/ | ||
this.isWebviewEmbedded_ = this.params_['webview']; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
!!
to cast to boolean?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Params are always strings. So, if webview == '0'
that wouldn't work. Instead it should be this.params_['webview'] == '1'
or such.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@@ -293,7 +299,7 @@ export class Viewer { | |||
// Not embedded in IFrame - can't trust the viewer. | |||
trustedViewerResolved = false; | |||
trustedViewerPromise = Promise.resolve(false); | |||
} else if (this.win.location.ancestorOrigins) { | |||
} else if (this.win.location.ancestorOrigins && !this.isWebviewEmbedded_) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we also check that the document is NOT currently iframed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a great case. I've added this to the #isWebviewEmbeded
boolean, and added tests.
We treat them like normal iframes.
Tons 'o tests. |
7423847
to
479470f
Compare
* Allow webviews to be set as trusted viewers Webviews can't set `ancestorOrigins` properly (maybe?), we can't use it to tell if we are in a trusted viewer context. Instead, fall back to our "old browser" path, which creates a `trustedViewerResolver_`. When the webview's integration script [sets the message deliverer](https://github.com/ampproject/amphtml/blob/f28e116/src/service/viewer-impl.js#L947), it [will resolve](https://github.com/ampproject/amphtml/blob/f28e116/src/service/viewer-impl.js#L961-L962) to the webview's passed origin. Fixes ampproject#5563. * Add tests * Do not trust "webviews" that are really bad actor iframes We treat them like normal iframes. * Test for '1' explicitly * Fix test
* Allow webviews to be set as trusted viewers Webviews can't set `ancestorOrigins` properly (maybe?), we can't use it to tell if we are in a trusted viewer context. Instead, fall back to our "old browser" path, which creates a `trustedViewerResolver_`. When the webview's integration script [sets the message deliverer](https://github.com/ampproject/amphtml/blob/f28e116/src/service/viewer-impl.js#L947), it [will resolve](https://github.com/ampproject/amphtml/blob/f28e116/src/service/viewer-impl.js#L961-L962) to the webview's passed origin. Fixes ampproject#5563. * Add tests * Do not trust "webviews" that are really bad actor iframes We treat them like normal iframes. * Test for '1' explicitly * Fix test
Webviews can't set
ancestorOrigins
properly (maybe?), we can't use it to tell if we are in a trusted viewer context. Instead, fall back to our "old browser" path, which creates atrustedViewerResolver_
. When the webview's integration script sets the message deliverer, it will resolve to the webview's passed origin.Fixes #5563.