Protect current pad keys in the unsafe iframe

www/common/sframe-common-outer.js

@@ -488,7 +488,7 @@ define([
 
 
             // Put in the following function the RPC queries that should also work in filepicker
-            var addCommonRpc = function (sframeChan) {
+            var addCommonRpc = function (sframeChan, safe) {
                 sframeChan.on('Q_ANON_RPC_MESSAGE', function (data, cb) {
                     Cryptpad.anonRpcMsg(data.msg, data.content, function (err, response) {
                         cb({error: err, response: response});
@@ -595,6 +595,12 @@ define([
                     }
                     if (data.href) { href = data.href; }
                     Cryptpad.getPadAttribute(data.key, function (e, data) {
+                        if (!safe && data) {
+                            // Remove unsafe data for the unsafe iframe
+                            delete data.href;
+                            delete data.roHref;
+                            delete data.password;
+                        }
                         cb({
                             error: e,
                             data: data

www/secureiframe/main.js

@@ -106,7 +106,7 @@ define([
                 Cryptpad.onMetadataChanged(updateMeta);
                 sframeChan.onReg('EV_METADATA_UPDATE', updateMeta);
 
-                config.addCommonRpc(sframeChan);
+                config.addCommonRpc(sframeChan, true);
 
                 Cryptpad.padRpc.onMetadataEvent.reg(function (data) {
                     sframeChan.event('EV_RT_METADATA', data);