kiwix/kiwix-js-pwa
1
0
Fork 0
mirror of https://github.com/kiwix/kiwix-js-pwa.git synced 2025-08-03 19:38:36 -04:00
Code Issues Packages Projects Releases Wiki Activity

Handle custom protocols and URI schemata to avoid CSP violations #615 (#616)

Browse Source
This commit is contained in:
Jaifroid 2024-06-15 12:33:52 +01:00 committed by GitHub
parent d0a6d31d64
commit 2b3a8c320a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
www/js/app.js
View File

@ -5253,8 +5253,8 @@ function filterClickEvent (event) {
}
var href = clickedAnchor.getAttribute('href');
// We assume that, if an absolute http(s) link is hardcoded inside an HTML string, it means it's a link to an external website.
// We also do it for ftp even if it's not supported any more by recent browsers...
if (/^(?:http|ftp)/i.test(href)) {
// By comparing the protocols, we can filter out links such as `mailto:`, `tel:`, `skype:`, etc. (these should open in a new window).
if (/^(?:http|ftp)/i.test(href) || clickedAnchor.protocol && articleWindow.location.protocol !== clickedAnchor.protocol) {
console.debug('filterClickEvent opening external link in new tab');
clickedAnchor.newcontainer = true;
uiUtil.warnAndOpenExternalLinkInNewTab(event, clickedAnchor);
@ -5407,10 +5407,20 @@ function handleClickOnReplayLink (ev, anchor) {
var pseudoNamespace = appstate.selectedArchive.zimitPseudoContentNamespace;
var pseudoDomainPath = (anchor.hostname === window.location.hostname ? appstate.selectedArchive.zimitPrefix.replace(/\/$/, '') : anchor.hostname) + anchor.pathname;
var containingDocDomainPath = anchor.ownerDocument.location.hostname + anchor.ownerDocument.location.pathname;
// If it's for a different protocol (e.g. javascript:) we should let Replay handle that, or if the paths are identical, then we are dealing
// with a link to an anchor in the same document, or if the user has pressed the ctrl or command key, the document will open in a new window
// anyway, so we can return. Note that some PDFs are served with a protocol of http: instead of https:, so we need to account for that.
if (anchor.protocol.replace(/s:/, ':') !== document.location.protocol.replace(/s:/, ':') || pseudoDomainPath === containingDocDomainPath) return;
// If the paths are identical, then we are dealing with a link to an anchor in the same document
if (pseudoDomainPath === containingDocDomainPath) return;
// If it's for a different protocol (e.g. javascript:) we may need to handle that, or if the user has pressed the ctrl or command key, the document
// will open in a new window anyway, so we can return. Note that some PDFs are served with a protocol of http: instead of https:, so we need to account for that.
if (anchor.protocol && anchor.protocol.replace(/s:/, ':') !== document.location.protocol.replace(/s:/, ':')) {
// DEV: Monitor whether you need to handle /blob:|data:|file:/ as well (probably not, as they would be blocked by the sandbox if loaded into iframe)
if (/about:|javascript:/i.test(anchor.protocol) || ev.ctrlKey || ev.metaKey || ev.button === 1) return;
// So it's probably a URI scheme or protocol like mailto: that would violate the CSP, so we need to open it explicitly in a new taba
ev.preventDefault();
ev.stopPropagation();
console.debug('handleClickOnReplayLink opening custom protocol ' + anchor.protocol + ' in new tab');
uiUtil.warnAndOpenExternalLinkInNewTab(ev, anchor);
return;
}
var zimUrl;
// If it starts with the path to the ZIM file, then we are dealing with an untransformed absolute local ZIM link
if (!anchor.href.indexOf(pathToZim)) {
@ -5548,6 +5558,8 @@ function handleClickOnReplayLink (ev, anchor) {
console.error('Error getting dirEntry for ' + zimUrl, err);
uiUtil.systemAlert('There was an error looking up ' + zimUrl, 'Error reading direcotry entry!');
});
} else {
}
}