block loading many apps in iframes

2022-02-25 14:24:28 +05:30 · 2022-02-25 14:24:28 +05:30 · bc365d16a8
commit bc365d16a8
parent e31ae08341
4 changed files with 39 additions and 0 deletions
--- a/www/common/sframe-common-outer.js
+++ b/www/common/sframe-common-outer.js
@ -8,7 +8,41 @@ define([
 ], function (nThen, ApiConfig, RequireConfig, Messages, $) {
    var common = {};

+    var embeddableApps = [
+        //'calendar',
+        'code',
+        //'doc', // XXX
+        // 'drive',  // XXX
+        //'file', // doesn't suggest iframes
+        'form',
+        'kanban',
+        'pad',
+        // 'poll', // XXX
+        //'presentation', // XXX
+        // 'sheet', // XXX
+        'slide',
+        //'teams', // XXX
+        'whiteboard',
+    ].map(function (x) {
+        return `/${x}/`; // XXX intentionally break IE or anything that doesn't support template literals
+    });
+
    common.initIframe = function (waitFor, isRt, pathname) {
+        if (window.top !== window) {
+            if (ApiConfig.disableEmbedding) {
+                return void window.alert(`This CryptPad instance's administrators have disabled remote embedding of its editors.`);
+            }
+            // even where embedding is not forbidden it should still be limited
+            // to apps that are explicitly permitted
+            if (!embeddableApps.includes(window.location.pathname)) {
+                return void window.alert(`Embedding this CryptPad editor in remote pages is not supported.`);
+            }
+        }
+
+        if (window.location.origin !== ApiConfig.httpUnsafeOrigin) {
+            return void window.alert(`This page is configured to only be accessed via ${ApiConfig.httpUnsafeOrigin}.`);
+        }
+
        var requireConfig = RequireConfig();
        var lang = Messages._languageUsed;
        var themeKey = 'CRYPTPAD_STORE|colortheme';
--- a/www/debug/main.js
+++ b/www/debug/main.js
@ -13,6 +13,9 @@ define([
    '/common/common-interface.js',
 ], function (nThen, ApiConfig, $, RequireConfig, SFCommonO,
    Cryptpad, Util, Hash, Realtime, Constants, UI) {
+    if (window.top !== window) {
+        return void window.alert(`If you are seeing this message then somebody might be trying to compromise your CryptPad account. Please contact the CryptPad development team.`);
+    }

    window.Cryptpad = {
        Common: Cryptpad,
--- a/www/login/main.js
+++ b/www/login/main.js
@ -10,6 +10,7 @@ define([

    'css!/bower_components/components-font-awesome/css/font-awesome.min.css',
 ], function ($, Cryptpad, Login, UI, Realtime, Feedback, LocalStore /*, Test */) {
+    if (window.top !== window) { return; }
    $(function () {
        var $checkImport = $('#import-recent');
        if (LocalStore.isLoggedIn()) {
--- a/www/register/main.js
+++ b/www/register/main.js
@ -14,6 +14,7 @@ define([

    'css!/bower_components/components-font-awesome/css/font-awesome.min.css',
 ], function ($, Login, Cryptpad, /*Test,*/ Cred, UI, Util, Realtime, Constants, Feedback, LocalStore, h) {
+    if (window.top !== window) { return; }
    var Messages = Cryptpad.Messages;
    $(function () {
        if (LocalStore.isLoggedIn()) {