Gitiles
Code Review Sign In
korap.ids-mannheim.de / KorAP / Kalamar / ce0d882116ed24e9f304b61c57f6be77dd526dfb^! / .
commitce0d882116ed24e9f304b61c57f6be77dd526dfb[log] [tgz]
authorAkron <nils@diewald-online.de>Mon Oct 05 16:25:40 2020 +0200
committerAkron <nils@diewald-online.de>Mon Oct 05 16:25:40 2020 +0200
treefef74554e2c19e8745461f265ff5d05704bd3a2e
parentbb89198a0547556000804019bcc866fade5abef3 [diff]
Improve security of sandbox permissions

Change-Id: Ia39083ae521be5b06f0740d42f43b0383e220b1f

diff --git a/dev/js/spec/pluginSpec.js b/dev/js/spec/pluginSpec.js
index 2a980ad..5064e1c 100644
--- a/dev/js/spec/pluginSpec.js
+++ b/dev/js/spec/pluginSpec.js

@@ -257,7 +257,7 @@
           onClick : {
             template : 'about:blank',
             action : 'addWidget',
-            permissions: ['allow-scripts', 'allow-forms']
+            permissions: ['scripts', 'forms', 'all']
           }
         }]
       });
@@ -285,7 +285,7 @@
         "name":"Test",
         "src":"https://example",
         "id":56,
-        "permissions":["allow-scripts","allow-forms"]
+        "permissions":["scripts","forms"]
       });
       var we = widget.element();
 

diff --git a/dev/js/src/plugin/service.js b/dev/js/src/plugin/service.js
index 23271e5..4c91f6a 100644
--- a/dev/js/src/plugin/service.js
+++ b/dev/js/src/plugin/service.js

@@ -1,6 +1,16 @@
 define(function () {
   "use strict";
 
+  // Limit the supported sandbox permissions, especially
+  // to disallow 'same-origin'.
+  let allowed = {
+    "scripts" : 1,
+    "presentation" : 1,
+    "forms": 1,
+    "downloads-without-user-activation" : 1,
+    "downloads" : 1
+  };
+
   return {
     create : function (data) {
       return Object.create(this)._init(data);
@@ -14,14 +24,20 @@
       this.name = data["name"];
       this.src = data["src"];
       this.id = data["id"];
-      this._perm = new Set();
-
+      let _perm = new Set();
       let perm = data["permissions"];
       if (perm && Array.isArray(perm)) {
-        perm.forEach(
-          p => this._perm.add(p)
-        );
+        perm.forEach(function (p) {
+          if (p in allowed) {
+            _perm.add(p)
+          }
+          else {
+            KorAP.log(0, "Requested permission not allowed");
+          }
+        });
       };
+
+      this._perm = _perm;
       
       // There is no close method defined yet
       if (!this.close) {
@@ -51,7 +67,7 @@
       e.setAttribute('allowTransparency',"true");
       e.setAttribute('frameborder', 0);
       // Allow forms in Plugins
-      e.setAttribute('sandbox', Array.from(this._perm).sort().join(" "));
+      e.setAttribute('sandbox', Array.from(this._perm).sort().map(function(i){ return "allow-"+i }).join(" "));
       e.style.height = '0px';
       e.setAttribute('name', this.id);
       e.setAttribute('src', this.src);

diff --git a/package.json b/package.json
index a04794c..a7aa8e6 100755
--- a/package.json
+++ b/package.json

@@ -2,7 +2,7 @@
   "name": "Kalamar",
   "description": "Mojolicious-based Frontend for KorAP",
   "license": "BSD-2-Clause",
-  "version": "0.39.4",
+  "version": "0.39.5",
   "pluginVersion": "0.2.2",
   "engines": {
     "node": ">=6.0.0"