clean up checkup tests and remove XXX

3 years ago · b83e8600f4
parent e1abf4ef77
commit b83e8600f4
2 changed files with 41 additions and 40 deletions
--- a/www/checkup/main.js
+++ b/www/checkup/main.js
@ -1030,37 +1030,46 @@ define([
    Support for selectively enabling embedding on remote sites is far more complicated
    and will need funding.
 */
-    assert(function (cb, msg) {
+    var checkAllowedOrigins = function (raw, url, msg, cb) {
        var header = 'Access-Control-Allow-Origin';
-        Tools.common_xhr('/', function (xhr) {
+        var expected;
-            var raw = xhr.getResponseHeader(header);
+        if (ApiConfig.disableEmbedding) {
-
+            expected = trimmedSafe;
-            if (ApiConfig.disableEmbedding) {
+            msg.appendChild(h('span', [
-                if (raw === trimmedSafe) { return void cb(true); }
+                'This instance has been configured to disable support for embedding assets and documents in third-party websites. ',
-                else {
+                'In order for this setting to be effective while still permitting encrypted media to load locally ',
-                    msg.appendChild(h('span', [
+                'the ',
-                        'This instance has been configured to disable support for embedding assets in third-party websites. ',
+                code(header),
-                        'In order for this setting to be effective while still permitting encrypted media to load locally ',
+                ' should only match trusted domains.',
-                        'the ',
+                ' Under most circumstances it is sufficient to permit only the sandbox domain to load assets.',
-                        code(header),
+                " Remote embedding can be enabled via the admin panel.",
-                        ' should only match trusted domains.',
+            ]));
-                    ]));
+        } else {
-                    return void cb({
+            expected = '*';
                        header: raw,
                        expected: trimmedSafe,
                    });
                }
            }
            msg.appendChild(h('span', [
                "This instance has been configured to permit embedding assets and documents in third-party websites.",
                'Assets must be served with an ',
                code(header),
                ' header with a value of ',
                code("'*'"),
-                ' if you wish to support embedding of encrypted media on third party websites.',
+                '.',
                ' Remote embedding can be disabled via the admin panel.',
            ]));
        }
        if (raw === expected) { return void cb(true); }
        cb({
            url: url,
            response: raw,
            disableEmbedding: ApiConfig.disableEmbedding,
        });
    };
-            cb(raw === "*" || raw);
+    assert(function (cb, msg) {
        var header = 'Access-Control-Allow-Origin';
        var url = new URL('/', trimmedUnsafe).href;
        Tools.common_xhr(url, function (xhr) {
            var raw = xhr.getResponseHeader(header);
            checkAllowedOrigins(raw, url, msg, cb);
        });
    });
@ -1279,20 +1288,17 @@ define([
        try {
            url = new URL('/', trimmedUnsafe);
        } catch (err) {
-            return void cb({
+            // if your configuration is bad enough that this throws
-                error: err,
+            // then other tests should detect it. Let's just bail out
-            });
+            return void cb(true);
        }
-        // XXX don't bother checking cors headers in dev environment
+        // xhr.getResponseHeader and similar APIs don't behave as expected in insecure cross-origin contexts
-        if (url.protocol !== 'https') { return void cb(true); } // XXX
+        // which prevents us from inspecting headers in a development context. We bail out early
        // and assume it passed. The proper test will run as normal in production
        if (url.protocol !== 'https') { return void cb(true); }
        var header = 'Access-Control-Allow-Origin';
        msg.appendChild(h('span', [
            'pewpew ',
            code(header), // XXX
        ]));
        deferredPostMessage({
            command: 'GET_HEADER',
            content: {
@ -1300,12 +1306,7 @@ define([
                header: header,
            },
        }, function (raw) {
-            if (raw === '*') { return void cb(true); }
+            checkAllowedOrigins(raw, url.href, msg, cb);
            if (raw === trimmedSafe) { return void cb(true); }
            cb({
                response: raw,
                disableEmbedding: ApiConfig.disableEmbedding,
            });
        });
    });
--- a/www/common/inner/share.js
+++ b/www/common/inner/share.js
@ -774,7 +774,7 @@ define([
        }];
        if (!opts.static && !ApiConfig.disableEmbedding) {
            tabs.push({
-                getTab: getEmbedTab, // XXX
+                getTab: getEmbedTab,
                title: Messages.share_embedCategory,
                icon: "fa fa-code",
                onShow: onShowEmbed,