Author: johnh
Date: Tue May 10 02:00:09 2011
New Revision: 1101287
URL: http://svn.apache.org/viewvc?rev=1101287&view=rev
Log:
Several gadgets.rpc fixes and improvements discovered when removing insecure
rpc communication (effectively setting forcesecure=true always).
1. Fix auto-detected rpctoken of child URL, accidentally broken in a previous
patch.
2. Remove relayURL requirement for wpm to work. How this ever worked I'm not
sure -- perhaps because forcesecure wasn't enabled before. WPM's same-origin
policy does not require a relay IFRAME to work properly. This CL removes
relayOnload() in the transport for this case, while keeping it for the phishing
case.
3. Retrieve the appropriate target origin when verifying w.pm messages.
Modified:
shindig/trunk/features/src/main/javascript/features/rpc/rpc.js
shindig/trunk/features/src/main/javascript/features/rpc/wpm.transport.js
Modified: shindig/trunk/features/src/main/javascript/features/rpc/rpc.js
URL:
http://svn.apache.org/viewvc/shindig/trunk/features/src/main/javascript/features/rpc/rpc.js?rev=1101287&r1=1101286&r2=1101287&view=diff
==============================================================================
--- shindig/trunk/features/src/main/javascript/features/rpc/rpc.js (original)
+++ shindig/trunk/features/src/main/javascript/features/rpc/rpc.js Tue May 10
02:00:09 2011
@@ -261,7 +261,6 @@ if (!window['gadgets']['rpc']) { // make
hookMainPageUnload();
data = gadgets.json.parse(decodeURIComponent(data));
- transport.relayOnload(sourceId, data);
}
/**
@@ -644,38 +643,37 @@ if (!window['gadgets']['rpc']) { // make
setupFrame(targetId, token);
}
- function setupContainerGadgetContext(rpctoken) {
+ function setupContainedContext(rpctoken, opt_parent) {
function init(config) {
var cfg = config ? config['rpc'] : {};
- var configLegacy = cfg['useLegacyProtocol'];
- if (typeof configLegacy === "string") {
- configLegacy = configLegacy === "true";
- }
+ var useLegacy = String(cfg['useLegacyProtocol']) === 'true';
+ passReferrer = String(cfg['passReferrer']) === 'true';
+
// Parent-relative only.
- var parentRelayUrl = cfg['parentRelayUrl'] || "";
- parentRelayUrl = getOrigin(params['parent']) + parentRelayUrl;
- var useLegacy = !!configLegacy;
+ var parentRelayUrl = cfg['parentRelayUrl'] || '';
+ parentRelayUrl = getOrigin(params['parent'] || opt_parent) +
parentRelayUrl;
setRelayUrl('..', parentRelayUrl, useLegacy);
+
if (useLegacy) {
transport = gadgets.rpctx.ifpc;
transport.init(process, transportReady);
}
+
setAuthToken('..', rpctoken);
- passReferrer = String(cfg['passReferrer']) === 'true';
}
- gadgets.config.register('rpc', null, init);
- }
- function setupContainerGenericIframe(rpctoken, opt_parent) {
- // Generic child IFRAME setting up connection w/ its container.
- // Use the opt_parent param if provided, or the "parent" query param
- // if found -- otherwise, do nothing since this call might be initiated
- // automatically at first, then actively later in IFRAME code.
- var parent = opt_parent || params['parent'];
- if (parent) {
- setRelayUrl('..', parent);
- setAuthToken('..', rpctoken);
+ // Check to see if we know the parent yet.
+ // In almost all cases we will, since the parent param is provided.
+ // However, it's possible that the lib doesn't yet know, but is
+ // initialized in forced fashion later.
+ if (!params['parent'] && opt_parent) {
+ // Handles the forced initialization case.
+ init({});
+ return;
}
+
+ // Handles the standard gadgets.config.init() case.
+ gadgets.config.register('rpc', null, init);
}
function setupChildIframe(gadgetId, opt_frameurl, opt_authtoken) {
@@ -693,11 +691,12 @@ if (!window['gadgets']['rpc']) { // make
// The "relay URL" can either be explicitly specified or is set as
// the child IFRAME URL's origin
- var relayUrl = opt_frameurl || gadgets.rpc.getOrigin(childIframe.src);
+ var childSrc = childIframe.src;
+ var relayUrl = opt_frameurl || gadgets.rpc.getOrigin(childSrc);
setRelayUrl(gadgetId, relayUrl);
// The auth token is parsed from child params (rpctoken) or overridden.
- var childParams = gadgets.util.getUrlParameters(relayUrl);
+ var childParams = gadgets.util.getUrlParameters(childSrc);
var rpctoken = opt_authtoken || childParams['rpctoken'];
setAuthToken(gadgetId, rpctoken);
}
@@ -749,11 +748,7 @@ if (!window['gadgets']['rpc']) { // make
if (targetId === '..') {
// Gadget/IFRAME to container.
var rpctoken = opt_authtoken || params['rpctoken'] ||
params['ifpctok'] || '';
- if (window['__isgadget'] === true) {
- setupContainerGadgetContext(rpctoken);
- } else {
- setupContainerGenericIframe(rpctoken, opt_receiverurl);
- }
+ setupContainedContext(rpctoken, opt_receiverurl);
} else {
// Container to child.
setupChildIframe(targetId, opt_receiverurl, opt_authtoken);
Modified:
shindig/trunk/features/src/main/javascript/features/rpc/wpm.transport.js
URL:
http://svn.apache.org/viewvc/shindig/trunk/features/src/main/javascript/features/rpc/wpm.transport.js?rev=1101287&r1=1101286&r2=1101287&view=diff
==============================================================================
--- shindig/trunk/features/src/main/javascript/features/rpc/wpm.transport.js
(original)
+++ shindig/trunk/features/src/main/javascript/features/rpc/wpm.transport.js
Tue May 10 02:00:09 2011
@@ -69,9 +69,7 @@ if (!gadgets.rpctx.wpm) { // make lib r
}
// for security, check origin against expected value
- var origRelay = gadgets.rpc.getRelayUrl(rpc['f']) ||
- gadgets.util.getUrlParameters()['parent'];
- var origin = gadgets.rpc.getOrigin(origRelay);
+ var origin = gadgets.rpc.getTargetOrigin(rpc['f']);
// Opera's "message" event does not have an "origin" property (at least,
// it doesn't in version 9.64; presumably, it will in version 10). If
@@ -111,6 +109,7 @@ if (!gadgets.rpctx.wpm) { // make lib r
if (receiverId === '..') {
gadgets.rpc._createRelayIframe(token);
}
+ ready(receiverId, true);
return true;
},
@@ -130,10 +129,6 @@ if (!gadgets.rpctx.wpm) { // make lib r
', cannot send cross-domain message');
}
return true;
- },
-
- relayOnload: function(receiverId, data) {
- ready(receiverId, true);
}
};
}();
