|
|
@ -1030,37 +1030,46 @@ define([
|
|
|
|
Support for selectively enabling embedding on remote sites is far more complicated
|
|
|
|
Support for selectively enabling embedding on remote sites is far more complicated
|
|
|
|
and will need funding.
|
|
|
|
and will need funding.
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
assert(function (cb, msg) {
|
|
|
|
var checkAllowedOrigins = function (raw, url, msg, cb) {
|
|
|
|
var header = 'Access-Control-Allow-Origin';
|
|
|
|
var header = 'Access-Control-Allow-Origin';
|
|
|
|
Tools.common_xhr('/', function (xhr) {
|
|
|
|
var expected;
|
|
|
|
var raw = xhr.getResponseHeader(header);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (ApiConfig.disableEmbedding) {
|
|
|
|
if (ApiConfig.disableEmbedding) {
|
|
|
|
if (raw === trimmedSafe) { return void cb(true); }
|
|
|
|
expected = trimmedSafe;
|
|
|
|
else {
|
|
|
|
|
|
|
|
msg.appendChild(h('span', [
|
|
|
|
msg.appendChild(h('span', [
|
|
|
|
'This instance has been configured to disable support for embedding assets in third-party websites. ',
|
|
|
|
'This instance has been configured to disable support for embedding assets and documents in third-party websites. ',
|
|
|
|
'In order for this setting to be effective while still permitting encrypted media to load locally ',
|
|
|
|
'In order for this setting to be effective while still permitting encrypted media to load locally ',
|
|
|
|
'the ',
|
|
|
|
'the ',
|
|
|
|
code(header),
|
|
|
|
code(header),
|
|
|
|
' should only match trusted domains.',
|
|
|
|
' should only match trusted domains.',
|
|
|
|
|
|
|
|
' Under most circumstances it is sufficient to permit only the sandbox domain to load assets.',
|
|
|
|
|
|
|
|
" Remote embedding can be enabled via the admin panel.",
|
|
|
|
]));
|
|
|
|
]));
|
|
|
|
return void cb({
|
|
|
|
} else {
|
|
|
|
header: raw,
|
|
|
|
expected = '*';
|
|
|
|
expected: trimmedSafe,
|
|
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
msg.appendChild(h('span', [
|
|
|
|
msg.appendChild(h('span', [
|
|
|
|
|
|
|
|
"This instance has been configured to permit embedding assets and documents in third-party websites.",
|
|
|
|
'Assets must be served with an ',
|
|
|
|
'Assets must be served with an ',
|
|
|
|
code(header),
|
|
|
|
code(header),
|
|
|
|
' header with a value of ',
|
|
|
|
' header with a value of ',
|
|
|
|
code("'*'"),
|
|
|
|
code("'*'"),
|
|
|
|
' if you wish to support embedding of encrypted media on third party websites.',
|
|
|
|
'.',
|
|
|
|
|
|
|
|
' Remote embedding can be disabled via the admin panel.',
|
|
|
|
]));
|
|
|
|
]));
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if (raw === expected) { return void cb(true); }
|
|
|
|
|
|
|
|
cb({
|
|
|
|
|
|
|
|
url: url,
|
|
|
|
|
|
|
|
response: raw,
|
|
|
|
|
|
|
|
disableEmbedding: ApiConfig.disableEmbedding,
|
|
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
cb(raw === "*" || raw);
|
|
|
|
assert(function (cb, msg) {
|
|
|
|
|
|
|
|
var header = 'Access-Control-Allow-Origin';
|
|
|
|
|
|
|
|
var url = new URL('/', trimmedUnsafe).href;
|
|
|
|
|
|
|
|
Tools.common_xhr(url, function (xhr) {
|
|
|
|
|
|
|
|
var raw = xhr.getResponseHeader(header);
|
|
|
|
|
|
|
|
checkAllowedOrigins(raw, url, msg, cb);
|
|
|
|
});
|
|
|
|
});
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
@ -1279,20 +1288,17 @@ define([
|
|
|
|
try {
|
|
|
|
try {
|
|
|
|
url = new URL('/', trimmedUnsafe);
|
|
|
|
url = new URL('/', trimmedUnsafe);
|
|
|
|
} catch (err) {
|
|
|
|
} catch (err) {
|
|
|
|
return void cb({
|
|
|
|
// if your configuration is bad enough that this throws
|
|
|
|
error: err,
|
|
|
|
// then other tests should detect it. Let's just bail out
|
|
|
|
});
|
|
|
|
return void cb(true);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// XXX don't bother checking cors headers in dev environment
|
|
|
|
// xhr.getResponseHeader and similar APIs don't behave as expected in insecure cross-origin contexts
|
|
|
|
if (url.protocol !== 'https') { return void cb(true); } // XXX
|
|
|
|
// which prevents us from inspecting headers in a development context. We bail out early
|
|
|
|
|
|
|
|
// and assume it passed. The proper test will run as normal in production
|
|
|
|
|
|
|
|
if (url.protocol !== 'https') { return void cb(true); }
|
|
|
|
|
|
|
|
|
|
|
|
var header = 'Access-Control-Allow-Origin';
|
|
|
|
var header = 'Access-Control-Allow-Origin';
|
|
|
|
msg.appendChild(h('span', [
|
|
|
|
|
|
|
|
'pewpew ',
|
|
|
|
|
|
|
|
code(header), // XXX
|
|
|
|
|
|
|
|
]));
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
deferredPostMessage({
|
|
|
|
deferredPostMessage({
|
|
|
|
command: 'GET_HEADER',
|
|
|
|
command: 'GET_HEADER',
|
|
|
|
content: {
|
|
|
|
content: {
|
|
|
@ -1300,12 +1306,7 @@ define([
|
|
|
|
header: header,
|
|
|
|
header: header,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}, function (raw) {
|
|
|
|
}, function (raw) {
|
|
|
|
if (raw === '*') { return void cb(true); }
|
|
|
|
checkAllowedOrigins(raw, url.href, msg, cb);
|
|
|
|
if (raw === trimmedSafe) { return void cb(true); }
|
|
|
|
|
|
|
|
cb({
|
|
|
|
|
|
|
|
response: raw,
|
|
|
|
|
|
|
|
disableEmbedding: ApiConfig.disableEmbedding,
|
|
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
});
|
|
|
|
});
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|