clean up checkup tests and remove XXX

pull/1/head
ansuz 3 years ago
parent e1abf4ef77
commit b83e8600f4

@ -1030,37 +1030,46 @@ define([
Support for selectively enabling embedding on remote sites is far more complicated Support for selectively enabling embedding on remote sites is far more complicated
and will need funding. and will need funding.
*/ */
assert(function (cb, msg) { var checkAllowedOrigins = function (raw, url, msg, cb) {
var header = 'Access-Control-Allow-Origin'; var header = 'Access-Control-Allow-Origin';
Tools.common_xhr('/', function (xhr) { var expected;
var raw = xhr.getResponseHeader(header);
if (ApiConfig.disableEmbedding) { if (ApiConfig.disableEmbedding) {
if (raw === trimmedSafe) { return void cb(true); } expected = trimmedSafe;
else {
msg.appendChild(h('span', [ msg.appendChild(h('span', [
'This instance has been configured to disable support for embedding assets in third-party websites. ', 'This instance has been configured to disable support for embedding assets and documents in third-party websites. ',
'In order for this setting to be effective while still permitting encrypted media to load locally ', 'In order for this setting to be effective while still permitting encrypted media to load locally ',
'the ', 'the ',
code(header), code(header),
' should only match trusted domains.', ' should only match trusted domains.',
' Under most circumstances it is sufficient to permit only the sandbox domain to load assets.',
" Remote embedding can be enabled via the admin panel.",
])); ]));
return void cb({ } else {
header: raw, expected = '*';
expected: trimmedSafe,
});
}
}
msg.appendChild(h('span', [ msg.appendChild(h('span', [
"This instance has been configured to permit embedding assets and documents in third-party websites.",
'Assets must be served with an ', 'Assets must be served with an ',
code(header), code(header),
' header with a value of ', ' header with a value of ',
code("'*'"), code("'*'"),
' if you wish to support embedding of encrypted media on third party websites.', '.',
' Remote embedding can be disabled via the admin panel.',
])); ]));
}
if (raw === expected) { return void cb(true); }
cb({
url: url,
response: raw,
disableEmbedding: ApiConfig.disableEmbedding,
});
};
cb(raw === "*" || raw); assert(function (cb, msg) {
var header = 'Access-Control-Allow-Origin';
var url = new URL('/', trimmedUnsafe).href;
Tools.common_xhr(url, function (xhr) {
var raw = xhr.getResponseHeader(header);
checkAllowedOrigins(raw, url, msg, cb);
}); });
}); });
@ -1279,20 +1288,17 @@ define([
try { try {
url = new URL('/', trimmedUnsafe); url = new URL('/', trimmedUnsafe);
} catch (err) { } catch (err) {
return void cb({ // if your configuration is bad enough that this throws
error: err, // then other tests should detect it. Let's just bail out
}); return void cb(true);
} }
// XXX don't bother checking cors headers in dev environment // xhr.getResponseHeader and similar APIs don't behave as expected in insecure cross-origin contexts
if (url.protocol !== 'https') { return void cb(true); } // XXX // which prevents us from inspecting headers in a development context. We bail out early
// and assume it passed. The proper test will run as normal in production
if (url.protocol !== 'https') { return void cb(true); }
var header = 'Access-Control-Allow-Origin'; var header = 'Access-Control-Allow-Origin';
msg.appendChild(h('span', [
'pewpew ',
code(header), // XXX
]));
deferredPostMessage({ deferredPostMessage({
command: 'GET_HEADER', command: 'GET_HEADER',
content: { content: {
@ -1300,12 +1306,7 @@ define([
header: header, header: header,
}, },
}, function (raw) { }, function (raw) {
if (raw === '*') { return void cb(true); } checkAllowedOrigins(raw, url.href, msg, cb);
if (raw === trimmedSafe) { return void cb(true); }
cb({
response: raw,
disableEmbedding: ApiConfig.disableEmbedding,
});
}); });
}); });

@ -774,7 +774,7 @@ define([
}]; }];
if (!opts.static && !ApiConfig.disableEmbedding) { if (!opts.static && !ApiConfig.disableEmbedding) {
tabs.push({ tabs.push({
getTab: getEmbedTab, // XXX getTab: getEmbedTab,
title: Messages.share_embedCategory, title: Messages.share_embedCategory,
icon: "fa fa-code", icon: "fa fa-code",
onShow: onShowEmbed, onShow: onShowEmbed,

Loading…
Cancel
Save