? Success
Related to # 3849

User tests: Successful: Unsuccessful:

avatar J0WI
J0WI
13 Jan 2015

#3849 rewritten


How to test

  • add a new wrapper
  • see that the iframe looks good in frontend
  • appy this patch
  • make sure it works still expected :smile:
avatar J0WI J0WI - open - 13 Jan 2015
avatar jissues-bot jissues-bot - change - 13 Jan 2015
Labels Added: ?
avatar brianteeman
brianteeman - comment - 13 Jan 2015

It would really help if you cold provide some explanation what this does and how to test it. The easier it is to test the quicker it will get merged


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/5716.

avatar J0WI
J0WI - comment - 13 Jan 2015

As described in #3838, inline JS prevents admins to use a restrictive CSP on their site. So I moved this JS snippet, that controls the height of an iframe, to a file.

avatar dgt41
dgt41 - comment - 13 Jan 2015

@J0WI Thanks for coding this
Can I ask you why you decided not to use this:

JFactory::getApplication()->getDocument()->addScriptDeclaration("
CODE GOES HERE
");

This way there is no need for the 2 extra javascript files, and also no extra request on the rendered file.
The weight is small only 12 lines of codeā€¦
You can also see that in my attempt to do the same thing here: #5117

avatar J0WI
J0WI - comment - 13 Jan 2015

This function would create a <script> element, isn't it? So it prevents you from using CSP without unsafe-inline.
https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives#Keywords

avatar dgt41
dgt41 - comment - 13 Jan 2015

@J0WI It will add a <script>***</script> in the head of the document, so CSP should be fine with it!

avatar J0WI
J0WI - comment - 13 Jan 2015

Nope, referring to spec all <script> elements are blocked, even if they are created in head. Just verified using nginx and Firefox 37.

avatar dgt41
dgt41 - comment - 13 Jan 2015

@J0WI WOW really? Joomla then needs more tweaks to comply with this ????

avatar J0WI
J0WI - comment - 13 Jan 2015

That would be great! The backed is actually unusable with CSP. D:
JFYI: eval is evil #3837

avatar dgt41
dgt41 - comment - 13 Jan 2015

@J0WI And I proposed few days ago something that uses evil() #5652 ????

avatar dgt41
dgt41 - comment - 13 Jan 2015

@J0WI Just out of curiosity the 'self' will reject the inline scripts from the same source? Documentation is not very clear...

avatar J0WI
J0WI - comment - 13 Jan 2015

self => allowed only from exact same url/protocol (e.g. https://github.com/* but nothing else, relative paths are allowed)
unsafe-inline => allow creepy inline stuff (e.g. <script> element or javascript: values in href)
unsafe-eval => allow evil eval() stuff

The same restrictions are available for nearly every resource, so inline CSS is also a problem. But you can't do that much damage as with JS.

You may be interested in https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy#Examples.3A.C2.A0Common_use_cases

avatar brianteeman brianteeman - change - 14 Jan 2015
Category JavaScript
avatar brianteeman brianteeman - change - 14 Jan 2015
Rel_Number 3849
Relation Type Related to
avatar phproberto
phproberto - comment - 2 Feb 2015

This is the right way :+1:

avatar J0WI
J0WI - comment - 4 Feb 2015

@brianteeman Do you need any additional information from me to merge this? Is it already to late to push this to 3.4?

avatar dgt41
dgt41 - comment - 4 Feb 2015

@J0WI There where some proposals for wrapper by Hannes #5117 (see the last comments). Do you think you can implement these in this PR?

avatar J0WI
J0WI - comment - 5 Feb 2015

Done.

avatar J0WI
J0WI - comment - 13 Jul 2015

This still waits for a review/merge

avatar zero-24 zero-24 - change - 13 Jul 2015
The description was changed
Easy No Yes
avatar zero-24
zero-24 - comment - 13 Jul 2015

Adding test Instructions.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/5716.

avatar dgt41
dgt41 - comment - 13 Jul 2015

@zero-24 This needs to be tested also for the module
#test ok here!

avatar zero-24 zero-24 - test_item - 13 Jul 2015 - Tested successfully
avatar zero-24 zero-24 - change - 13 Jul 2015
Status Pending Ready to Commit
avatar zero-24
zero-24 - comment - 13 Jul 2015

Thanks @dgt41 just tested with the component and module works good here. Thanks @J0WI moving to RTC :smile:


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/5716.

avatar zero-24 zero-24 - alter_testresult - 13 Jul 2015 - dgt41: Tested successfully
avatar zero-24 zero-24 - change - 13 Jul 2015
Labels Added: ?
avatar Kubik-Rubik Kubik-Rubik - change - 15 Jul 2015
Milestone Added:
avatar Kubik-Rubik
Kubik-Rubik - comment - 15 Jul 2015

Thank you @J0WI! Merged with 5e44e0a

avatar Kubik-Rubik Kubik-Rubik - change - 15 Jul 2015
Status Ready to Commit Closed
Closed_Date 0000-00-00 00:00:00 2015-07-15 12:24:41
Closed_By Kubik-Rubik
avatar Kubik-Rubik Kubik-Rubik - close - 15 Jul 2015
avatar zero-24 zero-24 - close - 15 Jul 2015
avatar zero-24 zero-24 - change - 14 Oct 2015
Labels Removed: ?

Add a Comment

Login with GitHub to post a comment