-
Notifications
You must be signed in to change notification settings - Fork 116
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
iframe lacks allow attribute to use navigator.clipboard in Chrome #3474
Comments
vmiklos
added a commit
to vmiklos/nextcloud-richdocuments
that referenced
this issue
Feb 16, 2024
…d#3474) As described at <https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes> newer Chrome requires explicit markup for code in an iframe to execute JS that requires permissions, like clipboard. If this markup is missing, then the user won't be even asked. Use the wildcard syntax, because the COOL JS code in the iframe is not the initial src attribute value of the iframe, it gets changed later. With this, a permission popup on paste shows up in Chrome even if the paste is perssed on the notebookbar, even if nextcloud is served from one domain and COOL is served from an other domain. This fixes the document edit case; possibly it should be also added at all other places where the allowfullscreen attribute is used, which is not done in this commit.
vmiklos
added a commit
to vmiklos/nextcloud-richdocuments
that referenced
this issue
Feb 16, 2024
…d#3474) As described at <https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes> newer Chrome requires explicit markup for code in an iframe to execute JS that requires permissions, like clipboard. If this markup is missing, then the user won't be even asked. Use the wildcard syntax, because the COOL JS code in the iframe is not the initial src attribute value of the iframe, it gets changed later. With this, a permission popup on paste shows up in Chrome even if the paste is perssed on the notebookbar, even if nextcloud is served from one domain and COOL is served from an other domain. This fixes the document edit case; possibly it should be also added at all other places where the allowfullscreen attribute is used, which is not done in this commit. Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Proposed fix: #3475 |
vmiklos
added a commit
to vmiklos/nextcloud-richdocuments
that referenced
this issue
Feb 19, 2024
…d#3474) As described at <https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes> newer Chrome requires explicit markup for code in an iframe to execute JS that requires permissions, like clipboard. If this markup is missing, then the user won't be even asked. Use the wildcard syntax, because the COOL JS code in the iframe is not the initial src attribute value of the iframe, it gets changed later. With this, a permission popup on paste shows up in Chrome even if the paste is perssed on the notebookbar, even if nextcloud is served from one domain and COOL is served from an other domain. This fixes the document edit case; possibly it should be also added at all other places where the allowfullscreen attribute is used, which is not done in this commit. Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
eszkadev
added a commit
that referenced
this issue
Feb 19, 2024
fix: emit allow attribute on iframe for the clipboard (fixes #3474)
vmiklos
added a commit
to vmiklos/nextcloud-richdocuments
that referenced
this issue
Feb 20, 2024
…nextcloud#3474) The unhandled cases were: - read-only view - view a past revision - for completeness, also adapt the iframe in files.js
vmiklos
added a commit
to vmiklos/nextcloud-richdocuments
that referenced
this issue
Feb 20, 2024
…nextcloud#3474) The unhandled cases were: - read-only view - view a past revision - for completeness, also adapt the iframe in files.js Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
backportbot bot
pushed a commit
that referenced
this issue
Feb 20, 2024
As described at <https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes> newer Chrome requires explicit markup for code in an iframe to execute JS that requires permissions, like clipboard. If this markup is missing, then the user won't be even asked. Use the wildcard syntax, because the COOL JS code in the iframe is not the initial src attribute value of the iframe, it gets changed later. With this, a permission popup on paste shows up in Chrome even if the paste is perssed on the notebookbar, even if nextcloud is served from one domain and COOL is served from an other domain. This fixes the document edit case; possibly it should be also added at all other places where the allowfullscreen attribute is used, which is not done in this commit. Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
backportbot bot
pushed a commit
that referenced
this issue
Feb 20, 2024
As described at <https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes> newer Chrome requires explicit markup for code in an iframe to execute JS that requires permissions, like clipboard. If this markup is missing, then the user won't be even asked. Use the wildcard syntax, because the COOL JS code in the iframe is not the initial src attribute value of the iframe, it gets changed later. With this, a permission popup on paste shows up in Chrome even if the paste is perssed on the notebookbar, even if nextcloud is served from one domain and COOL is served from an other domain. This fixes the document edit case; possibly it should be also added at all other places where the allowfullscreen attribute is used, which is not done in this commit. Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
backportbot bot
pushed a commit
that referenced
this issue
Feb 20, 2024
…#3474) The unhandled cases were: - read-only view - view a past revision - for completeness, also adapt the iframe in files.js Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
backportbot bot
pushed a commit
that referenced
this issue
Feb 20, 2024
…#3474) The unhandled cases were: - read-only view - view a past revision - for completeness, also adapt the iframe in files.js Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
backportbot bot
pushed a commit
that referenced
this issue
Feb 20, 2024
…#3474) The unhandled cases were: - read-only view - view a past revision - for completeness, also adapt the iframe in files.js Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
juliushaertl
added a commit
that referenced
this issue
Feb 20, 2024
[stable28] fix: emit allow attribute on iframe for the clipboard (fixes #3474)
juliushaertl
added a commit
that referenced
this issue
Feb 27, 2024
[stable27] fix: emit allow attribute on iframe for the clipboard (fixes #3474)
This was referenced Feb 29, 2024
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Recent online.git tries to use navigator.clipboard in Chrome for better paste and paste special when you use the notebookbar buttons and not the keyboard. This works when COOL is running standalone, but not when nextcloud is served from one domain and COOL is from an other domain, due to how Chrome restricts cross-origin iframes.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A Chrome popup asks if reading from the clipboard should be allowed.
Actual behavior
Nothing happens, unless nextcloud and COOL is served from the same domain.
Screenshots
The developer console shows this:
"navigator.clipboard.read() failed: The Clipboard API has been blocked because of a permissions policy applied to the current document. See https://goo.gl/EuHzyv for more details."
Other details
Probably the fix is to emit an
allow="clipboard-read *; clipboard-write *"
attribute on the iframe element in src/view/Office.vue, will submit a PR to do that. At least that makes the clipboard popup show and after granting the permission, paste works in Chrome.The text was updated successfully, but these errors were encountered: