From e61888dfe26a94a961e013d8bbec3fe3fb2d4290 Mon Sep 17 00:00:00 2001 From: webzwo0i Date: Tue, 20 Jul 2021 18:50:18 +0200 Subject: [PATCH] ace.js: Don't use srcdoc when creating iframes (see #4975) Using srcdoc, especially with multiple nested iframes, seems to be problematic when using `self` in CSP policies. --- src/static/empty.html | 1 + src/static/js/ace.js | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 src/static/empty.html diff --git a/src/static/empty.html b/src/static/empty.html new file mode 100644 index 000000000..ef02d22ca --- /dev/null +++ b/src/static/empty.html @@ -0,0 +1 @@ +Empty diff --git a/src/static/js/ace.js b/src/static/js/ace.js index 387576ce4..1e73ac48f 100644 --- a/src/static/js/ace.js +++ b/src/static/js/ace.js @@ -197,7 +197,9 @@ const Ace2Editor = function () { // - Chrome never fires any events on the frame or document. Eventually the document's // readyState becomes 'complete' even though it never fires a readystatechange event. // - Safari behaves like Chrome. - outerFrame.srcdoc = ''; + // srcdoc is avoided because Firefox's Content Security Policy engine does not properly handle + // 'self' with nested srcdoc iframes: https://bugzilla.mozilla.org/show_bug.cgi?id=1721296 + outerFrame.src = '../static/empty.html'; info.frame = outerFrame; document.getElementById(containerId).appendChild(outerFrame); const outerWindow = outerFrame.contentWindow; @@ -240,7 +242,7 @@ const Ace2Editor = function () { innerFrame.allowTransparency = true; // for IE // The iframe MUST have a src or srcdoc property to avoid browser quirks. See the comment above // outerFrame.srcdoc. - innerFrame.srcdoc = ''; + innerFrame.src = 'empty.html'; outerDocument.body.insertBefore(innerFrame, outerDocument.body.firstChild); const innerWindow = innerFrame.contentWindow;