Rev900, Sidebar filestats bar width round fix, Sidebar WebGL not supported error, Sidebar optimalizations, Trayicon gray shadow, Trim end of line whitespace from json files, Fix testweb testcase, Implement experimental postMessage nonce security, Return None when testing external ip, Window opener security check and message, Increase timeout for large files

2016-02-10 02:30:04 +01:00 · 2016-02-10 02:30:04 +01:00 · 61cfb8aa2f
commit 61cfb8aa2f
parent 018c6f7075
17 changed files with 121 additions and 39 deletions
--- a/src/Ui/media/Wrapper.coffee
+++ b/src/Ui/media/Wrapper.coffee
@ -1,11 +1,6 @@
 class Wrapper
 	constructor: (ws_url) ->
 		@log "Created!"
-		if window.opener
-			@log "Security error: Opener present, exiting..."
-			document.write("Forbidden: Opener present.")
-			document.body.innerHTML = "Forbidden: Opener present."
-			return

 		@loading = new Loading()
 		@notifications = new Notifications($(".notifications"))
@ -73,6 +68,11 @@ class Wrapper
 	# Incoming message from inner frame
 	onMessageInner: (e) =>
 		message = e.data
+		if window.postmessage_nonce_security and message.wrapper_nonce != window.wrapper_nonce
+			@log "Message nonce error:", message.wrapper_nonce, '!=', window.wrapper_nonce
+			@actionNotification({"params": ["error", "Message wrapper_nonce error, please report!"]})
+			window.removeEventListener("message", @onMessageInner)
+			return
 		cmd = message.cmd
 		if cmd == "innerReady"
 			@inner_ready = true
@ -383,4 +383,23 @@ else

 ws_url = proto.ws + ":" + origin.replace(proto.http+":", "") + "/Websocket?wrapper_key=" + window.wrapper_key

-window.wrapper = new Wrapper(ws_url)
+
+if window.opener
+	# Window opener security problem workaround: Open a new window, close this one
+	console.log "Opener present:", window.opener
+	setTimeout ( ->  # Wait 200ms to parent tab closing
+		if window.opener
+			# Opener still present, display message
+			elem = $("<div class='opener-overlay'><div class='dialog'>You have opened this page by clicking on a link. Please, confirm if you want to load this site.<a href='?' target='_blank' class='button'>Open site</a></div></div>")
+			elem.find('a').on "click", ->
+				window.open("?", "_blank")
+				window.close()
+				return false
+			$("body").prepend(elem)
+		else
+			window.location.reload()
+			# Opener gone, continue init
+			# window.wrapper = new Wrapper(ws_url)
+	), 100
+else
+	window.wrapper = new Wrapper(ws_url)
--- a/src/Ui/media/Wrapper.css
+++ b/src/Ui/media/Wrapper.css
@ -130,6 +130,10 @@ a { color: black }
 	box-shadow: 0 0 10px #AF3BFF, 0 0 5px #29d; opacity: 1.0; transform: rotate(3deg) translate(0px, -4px);
 }

+/* Opener overlay */
+.opener-overlay { position: fixed; z-index: 9999; width: 100%; text-align: center; background-color: rgba(100,100,100,0.5); height: 100%; vertical-align: middle; }
+.opener-overlay .dialog { background-color: white; padding: 40px; display: inline-block; color: #4F4F4F; font-family: 'Lucida Grande', 'Segoe UI', Helvetica, Arial, sans-serif; font-size: 14px; }
+
 /* Icons */
 .icon-profile { font-size: 6px; top: 0em; border-radius: 0.7em 0.7em 0 0; background: #FFFFFF; width: 1.5em; height: 0.7em; position: relative; display: inline-block; margin-right: 4px }
 .icon-profile::before { position: absolute; content: ""; top: -1em; left: 0.38em; width: 0.8em; height: 0.85em; border-radius: 50%; background: #FFFFFF }
--- a/src/Ui/media/all.css
+++ b/src/Ui/media/all.css
@ -135,6 +135,10 @@ a { color: black }
 	-webkit-box-shadow: 0 0 10px #AF3BFF, 0 0 5px #29d; -moz-box-shadow: 0 0 10px #AF3BFF, 0 0 5px #29d; -o-box-shadow: 0 0 10px #AF3BFF, 0 0 5px #29d; -ms-box-shadow: 0 0 10px #AF3BFF, 0 0 5px #29d; box-shadow: 0 0 10px #AF3BFF, 0 0 5px #29d ; opacity: 1.0; -webkit-transform: rotate(3deg) translate(0px, -4px); -moz-transform: rotate(3deg) translate(0px, -4px); -o-transform: rotate(3deg) translate(0px, -4px); -ms-transform: rotate(3deg) translate(0px, -4px); transform: rotate(3deg) translate(0px, -4px) ;
 }

+/* Opener overlay */
+.opener-overlay { position: fixed; z-index: 9999; width: 100%; text-align: center; background-color: rgba(100,100,100,0.5); height: 100%; vertical-align: middle; }
+.opener-overlay .dialog { background-color: white; padding: 40px; display: inline-block; color: #4F4F4F; font-family: 'Lucida Grande', 'Segoe UI', Helvetica, Arial, sans-serif; font-size: 14px; }
+
 /* Icons */
 .icon-profile { font-size: 6px; top: 0em; -webkit-border-radius: 0.7em 0.7em 0 0; -moz-border-radius: 0.7em 0.7em 0 0; -o-border-radius: 0.7em 0.7em 0 0; -ms-border-radius: 0.7em 0.7em 0 0; border-radius: 0.7em 0.7em 0 0 ; background: #FFFFFF; width: 1.5em; height: 0.7em; position: relative; display: inline-block; margin-right: 4px }
 .icon-profile::before { position: absolute; content: ""; top: -1em; left: 0.38em; width: 0.8em; height: 0.85em; -webkit-border-radius: 50%; -moz-border-radius: 50%; -o-border-radius: 50%; -ms-border-radius: 50%; border-radius: 50% ; background: #FFFFFF }
--- a/src/Ui/media/all.js
+++ b/src/Ui/media/all.js
@ -762,12 +762,6 @@ jQuery.extend( jQuery.easing,
      this.onMessageInner = __bind(this.onMessageInner, this);
      this.onMessageWebsocket = __bind(this.onMessageWebsocket, this);
      this.log("Created!");
-      if (window.opener) {
-        this.log("Security error: Opener present, exiting...");
-        document.write("Forbidden: Opener present.");
-        document.body.innerHTML = "Forbidden: Opener present.";
-        return;
-      }
      this.loading = new Loading();
      this.notifications = new Notifications($(".notifications"));
      this.fixbutton = new Fixbutton();
@ -842,6 +836,14 @@ jQuery.extend( jQuery.easing,
    Wrapper.prototype.onMessageInner = function(e) {
      var cmd, message, query;
      message = e.data;
+      if (window.postmessage_nonce_security && message.wrapper_nonce !== window.wrapper_nonce) {
+        this.log("Message nonce error:", message.wrapper_nonce, '!=', window.wrapper_nonce);
+        this.actionNotification({
+          "params": ["error", "Message wrapper_nonce error, please report!"]
+        });
+        window.removeEventListener("message", this.onMessageInner);
+        return;
+      }
      cmd = message.cmd;
      if (cmd === "innerReady") {
        this.inner_ready = true;
@ -1264,6 +1266,24 @@ jQuery.extend( jQuery.easing,

  ws_url = proto.ws + ":" + origin.replace(proto.http + ":", "") + "/Websocket?wrapper_key=" + window.wrapper_key;

-  window.wrapper = new Wrapper(ws_url);
+  if (window.opener) {
+    console.log("Opener present:", window.opener);
+    setTimeout((function() {
+      var elem;
+      if (window.opener) {
+        elem = $("<div class='opener-overlay'><div class='dialog'>You have opened this page by clicking on a link. Please, confirm if you want to load this site.<a href='?' target='_blank' class='button'>Open site</a></div></div>");
+        elem.find('a').on("click", function() {
+          window.open("?", "_blank");
+          window.close();
+          return false;
+        });
+        return $("body").prepend(elem);
+      } else {
+        return window.location.reload();
+      }
+    }), 100);
+  } else {
+    window.wrapper = new Wrapper(ws_url);
+  }

 }).call(this);