[Libreoffice-commits] online.git: loleaflet/html loleaflet/src wsd/FileServer.cpp
loleaflet/html/loleaflet.html.m4 |2 ++ loleaflet/src/control/Toolbar.js |5 - wsd/FileServer.cpp |5 + 3 files changed, 11 insertions(+), 1 deletion(-) New commits: commit aaf1fa4fc610323fd539d1480ef057e123f98790 Author: Muhammet Kara AuthorDate: Thu Apr 16 00:59:43 2020 +0300 Commit: Jan Holesovsky CommitDate: Thu Apr 16 11:37:08 2020 +0200 Welcome: Pass welcome value from loolwsd.xml to the JS side Now we have window.enableWelcomeMessage on the JS side to avoid any queries at all when the feature is disabled. Change-Id: I8420089f775bfbf5bcd557c7c720172fbce8c22e Reviewed-on: https://gerrit.libreoffice.org/c/online/+/92338 Tested-by: Jenkins CollaboraOffice Reviewed-by: Jan Holesovsky diff --git a/loleaflet/html/loleaflet.html.m4 b/loleaflet/html/loleaflet.html.m4 index dca62ada1..c8d51f0f0 100644 --- a/loleaflet/html/loleaflet.html.m4 +++ b/loleaflet/html/loleaflet.html.m4 @@ -234,6 +234,7 @@ m4_ifelse(MOBILEAPP,[true], window.accessTokenTTL = ''; window.accessHeader = ''; window.loleafletLogging = 'true'; + window.enableWelcomeMessage = false; window.outOfFocusTimeoutSecs = 100; window.idleTimeoutSecs = 100; window.reuseCookies = ''; @@ -246,6 +247,7 @@ m4_ifelse(MOBILEAPP,[true], window.accessTokenTTL = '%ACCESS_TOKEN_TTL%'; window.accessHeader = '%ACCESS_HEADER%'; window.loleafletLogging = '%LOLEAFLET_LOGGING%'; + window.enableWelcomeMessage = %ENABLE_WELCOME_MSG%; window.outOfFocusTimeoutSecs = %OUT_OF_FOCUS_TIMEOUT_SECS%; window.idleTimeoutSecs = %IDLE_TIMEOUT_SECS%; window.reuseCookies = '%REUSE_COOKIES%'; diff --git a/loleaflet/src/control/Toolbar.js b/loleaflet/src/control/Toolbar.js index e6f1a7e6f..4e17dece2 100644 --- a/loleaflet/src/control/Toolbar.js +++ b/loleaflet/src/control/Toolbar.js @@ -424,12 +424,15 @@ L.Map.include({ }, shouldWelcome: function() { + if (!window.enableWelcomeMessage || L.Browser.cypressTest) + return false; + var currentVerCookie = this.getCookie('WSDWelcomeVersion'); var newVerCookie = 'WSDWelcomeVersion=' + this._socket.WSDServer.Version; var welcomeDisabledCookie = this.getCookie('WSDWelcomeDisabled'); var isWelcomeDisabled = welcomeDisabledCookie === 'WSDWelcomeDisabled=true'; - if (currentVerCookie !== newVerCookie && !isWelcomeDisabled && !L.Browser.cypressTest) { + if (currentVerCookie !== newVerCookie && !isWelcomeDisabled) { return true; } diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp index 027655dc9..5a973bc01 100644 --- a/wsd/FileServer.cpp +++ b/wsd/FileServer.cpp @@ -736,6 +736,11 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco:: const std::string idleTimeoutSecs= config.getString("per_view.idle_timeout_secs", "900"); Poco::replaceInPlace(preprocess, std::string("%IDLE_TIMEOUT_SECS%"), idleTimeoutSecs); +std::string enableWelcomeMessage = "false"; +if (config.getBool("welcome.enable", false)) +enableWelcomeMessage = "true"; +Poco::replaceInPlace(preprocess, std::string("%ENABLE_WELCOME_MSG%"), enableWelcomeMessage); + // Capture cookies so we can optionally reuse them for the storage requests. { NameValueCollection cookies; ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] online.git: loleaflet/html loleaflet/src wsd/FileServer.cpp
loleaflet/html/loleaflet.html.m4 |2 + loleaflet/src/map/handler/Map.WOPI.js | 54 -- wsd/FileServer.cpp| 28 + 3 files changed, 68 insertions(+), 16 deletions(-) New commits: commit b5f58fbe8c4f283d10def377c8a687245312fa1f Author: Michael Meeks AuthorDate: Tue Jan 14 16:56:01 2020 + Commit: Jan Holesovsky CommitDate: Wed Jan 15 10:56:27 2020 +0100 postMessage CSS checking improvements. Ironically our attempts to double-check message origin against our parent was blowing a security exception. Instead send the list of origins we will accept from WSD, and check them ourselves (as well as the browser check). Why make it so hard to check that a postMessage comes from an ancestor frame ? Change-Id: I1311be3e1d68a31cfdc96b45a5eb5dd7f26e7ea9 Reviewed-on: https://gerrit.libreoffice.org/c/online/+/86788 Tested-by: Jenkins CollaboraOffice Reviewed-by: Alexandru Vlăduţu Reviewed-by: Jan Holesovsky diff --git a/loleaflet/html/loleaflet.html.m4 b/loleaflet/html/loleaflet.html.m4 index ad6d90f4b..4addf8955 100644 --- a/loleaflet/html/loleaflet.html.m4 +++ b/loleaflet/html/loleaflet.html.m4 @@ -231,6 +231,7 @@ ifelse(MOBILEAPP,[true], window.idleTimeoutSecs = 100; window.reuseCookies = ''; window.protocolDebug = false; + window.frameAncestors = ''; window.tileSize = 256;], [window.host = '%HOST%'; window.serviceRoot = '%SERVICE_ROOT%'; @@ -242,6 +243,7 @@ ifelse(MOBILEAPP,[true], window.idleTimeoutSecs = %IDLE_TIMEOUT_SECS%; window.reuseCookies = '%REUSE_COOKIES%'; window.protocolDebug = %PROTOCOL_DEBUG%; + window.frameAncestors = '%FRAME_ANCESTORS%'; window.tileSize = 256;]) syscmd([cat ]GLOBAL_JS)dnl diff --git a/loleaflet/src/map/handler/Map.WOPI.js b/loleaflet/src/map/handler/Map.WOPI.js index dcd401407..89f01ec53 100644 --- a/loleaflet/src/map/handler/Map.WOPI.js +++ b/loleaflet/src/map/handler/Map.WOPI.js @@ -141,13 +141,61 @@ L.Map.WOPI = L.Handler.extend({ this._map.fire('postMessage', {msgId: 'App_LoadingStatus', args: {Status: 'Document_Loaded', DocumentLoadedTime: this.DocumentLoadedTime}}); }, - _postMessageListener: function(e) { + // Naturally we set a CSP to catch badness, but check here as well. + // Checking whether a message came from our iframe's parents is + // un-necessarily difficult. + _allowMessageOrigin: function(e) { + // cache - to avoid regexps. + if (this._cachedGoodOrigin && this._cachedGoodOrigin === e.origin) + return true; // e.origin === 'null' when sandboxed (i.e. when the parent is a file on local filesystem). - if (e.origin !== 'null' && e.origin !== window.parent.origin) { - return; + if (e.origin === 'null') + return true; + try { + if (e.origin === window.parent.origin) + return true; + } catch (secErr) { // security error de-referencing window.parent.origin. + } + + // sent from the server + var i; + if (!this._allowedOrigins && window.frameAncestors) + { + var ancestors = window.frameAncestors.trim().split(' '); + this._allowedOrigins = ancestors; + // convert to JS regexps from localhost:* to https*://localhost:.* + for (i = 0; i < ancestors.length; i++) { + this._allowedOrigins[i] = 'https*://' + ancestors[i].replace(/:\*/, ':.*'); + } + } + + if (this._allowedOrigins) + { + for (i = 0; i < this._allowedOrigins.length; i++) { + if (e.origin.match(this._allowedOrigins[i])) + { + this._cachedGoodOrigin = e.origin; + return true; + } + } } + // chrome only + if (window.location.ancestorOrigins && + window.location.ancestorOrigins.contains(e.origin)) + { + this._cachedGoodOrigin = e.origin; + return true; + } + + return false; + }, + + _postMessageListener: function(e) { + if (!this._allowMessageOrigin(e)) + return; + var msg; try { msg = JSON.parse(e.data); diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp index 3cf3fbc51..07ac439b3 100644