Torrent Viewer CSP rule blocks <iframe> content #7366

feross · 2017-02-23T23:46:01Z

Test Plan:

Load the WIRED CD torrent from https://codepen.io/ferossity/full/qaezaB/
Start the torrent
Click on a non-media file like poster.jpg or README.md to view it in Brave.
It should load and display correctly.

Description

Torrent content is rendered into <iframe> when it's not video or audio
content. For example, a .jpg or a .pdf file. This is because we're
using a viewer page that includes the content; we're not returning the
content directly.

This is because the torrent may not be active and in that case, we show
the "Start Download?" page.

When this occurs, CSP prevents the iframe from loading content from the
webtorrent server at http://localhost:port

This is because we only make a CSP exception for media elements, not
iframe elements. This is an easy fix.

Fixes: #7243

Submitted a ticket for my issue if one did not already exist.
Used Github auto-closing keywords in the commit message.
Added/updated tests for this change (for new code or code which already has tests).
Ran git rebase -i to squash commits (if needed).

Since this touches CSP, I'd appreciate if @diracdeltas could take a look 🔐 ✅

Torrent content is rendered into <iframe> when it's not video or audio content. For example, a .jpg or a .pdf file. This is because we're using a viewer page that includes the content; we're not returning the content directly. This is because the torrent may not be active and in that case, we show the "Start Download?" page. When this occurs, CSP prevents the iframe from loading content from the webtorrent server at http://localhost:port This is because we only make a CSP exception for media elements, not iframe elements. This is an easy fix. Fixes: #7243

feross · 2017-02-23T23:47:14Z

app/extensions.js

    'connect-src': '\'self\' https://example.com',
    'media-src': '\'self\' http://localhost:*',
    'form-action': '\'none\'',
    'referrer': 'no-referrer',
    'style-src': '\'self\' \'unsafe-inline\'',
-    'frame-src': '\'self\''
+    'frame-src': '\'self\' http://localhost:*'
  }

  if (process.env.NODE_ENV === 'development') {
    // allow access to webpack dev server resources
    let devServer = 'localhost:' + process.env.npm_package_config_port


None of the changes below this line should be substantive. They just remove repetition that might accidentally allow the dev and prod versions of the CSP to diverge.

feross · 2017-03-17T00:54:24Z

This has been here for a while, going to go ahead and land it.

feross added the feature/torrent label Feb 23, 2017

feross requested review from bridiver, diracdeltas and bbondy February 23, 2017 23:46

feross commented Feb 23, 2017

View reviewed changes

diracdeltas approved these changes Feb 23, 2017

View reviewed changes

feross added the PR/needs-QA-attention ☕ label Mar 2, 2017

feross merged commit 067ca56 into master Mar 17, 2017

feross deleted the fix-7243 branch March 17, 2017 00:54

feross removed the PR/needs-QA-attention ☕ label Mar 17, 2017

feross modified the milestones: 0.14.0, 0.14.1 Mar 17, 2017

bsclifton modified the milestones: 0.14.0, 0.14.1 Mar 17, 2017

bsclifton added QA/test-plan-specified release-notes/include labels Mar 17, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Torrent Viewer CSP rule blocks <iframe> content #7366

Torrent Viewer CSP rule blocks <iframe> content #7366

feross commented Feb 23, 2017 •

edited by bsclifton

feross Feb 23, 2017 •

edited

feross commented Mar 17, 2017

Torrent Viewer CSP rule blocks <iframe> content #7366

Torrent Viewer CSP rule blocks <iframe> content #7366

Conversation

feross commented Feb 23, 2017 • edited by bsclifton

Test Plan:

Description

feross Feb 23, 2017 • edited

Choose a reason for hiding this comment

feross commented Mar 17, 2017

feross commented Feb 23, 2017 •

edited by bsclifton

feross Feb 23, 2017 •

edited