Skip to content

ace.js: Don't use srcdoc when creating iframes#5124

Merged
rhansen merged 3 commits intodevelopfrom
drop-iframe-srcdoc
Jul 30, 2021
Merged

ace.js: Don't use srcdoc when creating iframes#5124
rhansen merged 3 commits intodevelopfrom
drop-iframe-srcdoc

Conversation

@webzwo0i
Copy link
Copy Markdown
Member

@webzwo0i webzwo0i commented Jul 20, 2021
edited by rhansen
Loading

Using srcdoc, especially with multiple nested iframes, seems to be
problematic when using self in CSP policies.

Fixes #4975

@webzwo0i webzwo0i marked this pull request as draft July 20, 2021 17:04
@webzwo0i webzwo0i mentioned this pull request Jul 20, 2021
Closed
rhansen
rhansen reviewed Jul 24, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@rhansen rhansen left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I recommend adding a basic HTML skeleton to aceInner.html and aceOuter.html:

<!DOCTYPE html>
<html>
  <head>
    <title>iframe</title>
  </head>
  <body>
  </body>
</html>

Comment thread src/static/js/ace.js Outdated
Comment thread src/static/js/ace.js Outdated
Comment thread src/static/js/ace2_inner.js Outdated
@rhansen rhansen force-pushed the drop-iframe-srcdoc branch from 9d96109 to bca1a5d Compare July 29, 2021 06:45
@rhansen rhansen marked this pull request as ready for review July 29, 2021 06:45
@rhansen
Copy link
Copy Markdown
Member

rhansen commented Jul 29, 2021
edited
Loading

@webzwo0i I force-updated your branch with some changes. If everything looks good to you, feel free to merge it.

rhansen and others added 3 commits July 30, 2021 03:51
@rhansen
ace2_inner.js: Delete unnecessary ace_outerWin variable
0c963a8
@rhansen
ace2_inner.js: Improve discovery of sidediv and linemetricsdiv
9fda5ad 
The `Node.nextSibling` property returns the next Node, not the next
Element. If whitespace, an HTML comment, or any other type of
non-Element Node is ever introduced between the Elements then
`.nextSibling` no longer returns the desired Element. Switching to
`Element.nextElementSibling` would work, but finding the Elements by
ID is more readable and future-proof.
@webzwo0i @rhansen
ace.js: Don't use srcdoc when creating iframes (see #4975)
e61888d 
Using srcdoc, especially with multiple nested iframes, seems to be
problematic when using `self` in CSP policies.
@rhansen rhansen force-pushed the drop-iframe-srcdoc branch from bca1a5d to e61888d Compare July 30, 2021 07:52
@rhansen rhansen changed the title ace.js: Don't use srcdoc when creating iframes (see #4975) ace.js: Don't use srcdoc when creating iframes Jul 30, 2021
@rhansen rhansen merged commit e61888d into develop Jul 30, 2021
@rhansen rhansen deleted the drop-iframe-srcdoc branch July 30, 2021 07:54
@rhansen rhansen mentioned this pull request Jan 27, 2022
Closed
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhansen rhansen rhansen approved these changes

+1 more reviewer

@nuxi nuxi nuxi left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1.8.13: page load broken with 'self' content security policy (Ace2Editor.init() error event while waiting for load event)

3 participants

@webzwo0i @rhansen @nuxi