[WO-409] render html in sandboxed iframe

2025-01-30 22:50:17 -05:00 · 2014-06-25 08:17:03 +02:00 · 2014-06-25 08:17:03 +02:00 · fb1a20d2b0
commit fb1a20d2b0
parent df8b74bfb6
5 changed files with 27 additions and 7 deletions
--- a/src/js/controller/read.js
+++ b/src/js/controller/read.js
@ -341,12 +341,9 @@ define(function(require) {
                scope.html = undefined;
                if (value) {
                    $timeout(function() {
-                        // wrap in html doc with scrollable html tag, since chrome apps does not scroll by default
-                        var prefix = '<!DOCTYPE html><html style="overflow-y: auto"><head></head><body>';
-                        var suffix = '</body></html>';
-                        // open links in new window, otherwise the sandbox with not open them
-                        var clickableHtml = value.replace(/<a /g, '<a target="_blank" ');
-                        scope.html = $sce.trustAsHtml(prefix + clickableHtml + suffix);
+                        scope.html = true;
+                        var iframe = elm[0];
+                        iframe.contentWindow.postMessage(value, '*');
                    });
                }
            });
--- a/src/manifest.json
+++ b/src/manifest.json
@ -32,5 +32,9 @@
    "background": {
      "scripts": ["background.js"]
    }
+  },
+  "sandbox": {
+    "pages": ["sandbox.html"],
+    "content_security_policy": "sandbox allow-popups allow-scripts; default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src *"
  }
 }
--- a/src/sandbox.html
+++ b/src/sandbox.html
@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html style="overflow-y: auto">
+
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<script src="sandbox.js"></script>
+</head>
+
+<body></body>
+</html>
--- a/src/sandbox.js
+++ b/src/sandbox.js
@ -0,0 +1,8 @@
+(function() {
+    'use strict';
+
+    // set listener for event from main window
+    window.addEventListener('message', function(e) {
+        document.body.innerHTML = e.data.replace(/<a /g, '<a target="_blank" ');
+    }, false);
+})();
--- a/src/tpl/read.html
+++ b/src/tpl/read.html
@ -54,7 +54,7 @@
  </div><!--/.working-wrapper-->

  <!-- Render html body in sandboxed iframe -->
-  <iframe ng-show="html" sandbox="allow-popups" srcdoc="{{html}}"
+  <iframe ng-show="html" sandbox="allow-popups allow-scripts" src="sandbox.html" 
    frame-load="state.mailList.selected.html">
  </iframe>