Add support for viewing external sandboxed URLs in the Viewer pane

[jmcphers]

In RStudio Desktop 1.1, we are very careful to disallow navigation to external URLs for security reasons. See e.g. here:

rstudio/src/cpp/desktop/DesktopWebPage.cpp

Line 226 in 94806f3

bool WebPage::acceptNavigationRequest(const QUrl &url, NavigationType navType, bool isMainFrame)

Now that we are on QtWebEngine, however, we have access to a working sandbox for IFrames; this has been part of Chromium for some time.

https://www.chromestatus.com/feature/5715536319086592

We could choose to enable external URLs in the Viewer, which would open up a number of possibilities for external service integration with the IDE, if we can validate that sandboxing them allows us to do so safely and securely.

[jmcphers]

Some investigation notes:

1. I have confirmed that sandboxing works correctly on QtWebEngine as used by RStudio; a sample page has access to window.parent without the sandbox attribute, and does not have access with it.
2. We are forced to pass the --no-sandbox flag to Chromium on Linux (see #2381). There was some speculation that this flag would make <iframe> sandboxing not work; however, some investigation revealed that iframe sandboxing does indeed still work even with --no-sandbox (it's not the same kind of sandboxing).

[yihui]

I just ran into this issue, and I'm glad that it has already been tracked here. Thanks!

[jmcphers]

This is implemented now.

Note that sandboxing introduces a bunch of restrictions:

• Only the requested URL (and URLs that have the same prefix) will load in the Viewer pane.
• Any navigation attempts (including user-initiated navigation, script-initiated navigation, and even iframes) for other URLs will load outside RStudio.
• We allow script execution (since almost everything relies on it these days) but disallow everything else that the spec allows. We can adjust these privileges as time goes on.

[jmcphers]

Also, for QA: the sandbox attribute is applied dynamically; it is added when browsing to a non-local URL, and removed when browsing to a local one.

[mine-cetinkaya-rundel]

It looks like this is no longer working.

rstudioapi::viewer("http://google.com/")

and a few other URLs I tried don't actually show up in the viewer.

[coatless]

I can confirm that as of RStudio v1.2.1522

The only way around this is:

tfile = tempfile(fileext=".html")
download.file("http://google.com/", tfile)
rstudioapi::viewer(tfile)

Even then, clicking on a link will trigger a browser window to open...

[rundel]

I have been messing around with this and it seems like this is being caused by the WebPage::acceptNavigationRequest method in DesktopWebPage.cpp. Specifically, there is currently a (very limited) list of safe hosts:

rstudio/src/cpp/desktop/DesktopWebPage.cpp

Lines 356 to 381 in 4949a51

	void initSafeHosts()
	{
	safeHosts_ = {
	".youtube.com",
	".vimeo.com",
	".c9.ms"
	};
	for (const SessionServer& server : sessionServerSettings().servers())
	{
	http::URL url(server.url());
	safeHosts_.push_back(url.hostname());
	}
	}
	bool isSafeHost(const std::string& host)
	{
	boost::call_once(s_once,
	initSafeHosts);
	for (auto entry : safeHosts_)
	if (boost::algorithm::ends_with(host, entry))
	return true;
	return false;
	}

which are allowed to be opened by the viewer.

Is the safe hosts concept still necessary? If so is it possible to relax it somewhat such that users are warned about visiting an unsafe host and then able to progress or not via a modal dialog?

Also, while I was looking through the code it seemed like it would also be useful to expand the isLocal checks to include 0.0.0.0 as well as the machines ips.