ace.js: Don't use srcdoc when creating iframes (see #4975)

Using srcdoc, especially with multiple nested iframes, seems to be problematic when using `self` in CSP policies.
2021-07-20 18:50:18 +02:00 · 2021-07-20 18:50:18 +02:00 · e61888dfe2
parent 9fda5adcef
commit e61888dfe2
2 changed files with 5 additions and 2 deletions
--- a/src/static/empty.html
+++ b/src/static/empty.html
@ -0,0 +1 @@
+<!DOCTYPE html><html><head><title>Empty</title></head><body></body></html>
--- a/src/static/js/ace.js
+++ b/src/static/js/ace.js
@ -197,7 +197,9 @@ const Ace2Editor = function () {
    //   - Chrome never fires any events on the frame or document. Eventually the document's
    //     readyState becomes 'complete' even though it never fires a readystatechange event.
    //   - Safari behaves like Chrome.
-    outerFrame.srcdoc = '<!DOCTYPE html>';
+    // srcdoc is avoided because Firefox's Content Security Policy engine does not properly handle
+    // 'self' with nested srcdoc iframes: https://bugzilla.mozilla.org/show_bug.cgi?id=1721296
+    outerFrame.src = '../static/empty.html';
    info.frame = outerFrame;
    document.getElementById(containerId).appendChild(outerFrame);
    const outerWindow = outerFrame.contentWindow;
@ -240,7 +242,7 @@ const Ace2Editor = function () {
    innerFrame.allowTransparency = true; // for IE
    // The iframe MUST have a src or srcdoc property to avoid browser quirks. See the comment above
    // outerFrame.srcdoc.
-    innerFrame.srcdoc = '<!DOCTYPE html>';
+    innerFrame.src = 'empty.html';
    outerDocument.body.insertBefore(innerFrame, outerDocument.body.firstChild);
    const innerWindow = innerFrame.contentWindow;
				`@ -0,0 +1 @@`
				`<!DOCTYPE html><html><head><title>Empty</title></head><body></body></html>`