ace.js: Don't use srcdoc when creating iframes (see #4975)

Using srcdoc, especially with multiple nested iframes, seems to be
problematic when using `self` in CSP policies.
pull/5124/head
webzwo0i 2021-07-20 18:50:18 +02:00 committed by Richard Hansen
parent 9fda5adcef
commit e61888dfe2
2 changed files with 5 additions and 2 deletions

1
src/static/empty.html Normal file
View File

@ -0,0 +1 @@
<!DOCTYPE html><html><head><title>Empty</title></head><body></body></html>

View File

@ -197,7 +197,9 @@ const Ace2Editor = function () {
// - Chrome never fires any events on the frame or document. Eventually the document's
// readyState becomes 'complete' even though it never fires a readystatechange event.
// - Safari behaves like Chrome.
outerFrame.srcdoc = '<!DOCTYPE html>';
// srcdoc is avoided because Firefox's Content Security Policy engine does not properly handle
// 'self' with nested srcdoc iframes: https://bugzilla.mozilla.org/show_bug.cgi?id=1721296
outerFrame.src = '../static/empty.html';
info.frame = outerFrame;
document.getElementById(containerId).appendChild(outerFrame);
const outerWindow = outerFrame.contentWindow;
@ -240,7 +242,7 @@ const Ace2Editor = function () {
innerFrame.allowTransparency = true; // for IE
// The iframe MUST have a src or srcdoc property to avoid browser quirks. See the comment above
// outerFrame.srcdoc.
innerFrame.srcdoc = '<!DOCTYPE html>';
innerFrame.src = 'empty.html';
outerDocument.body.insertBefore(innerFrame, outerDocument.body.firstChild);
const innerWindow = innerFrame.contentWindow;