mirror of
https://github.com/mjl-/mox.git
synced 2024-12-26 00:13:47 +03:00
rfc/xr: be more careful about which urls we load in iframes
anything that looks like it specifies a different host should not be loaded. www.xmox.nl also has a CSP policy that should prevent resources from other domains from being loaded.
This commit is contained in:
Mechiel Lukkien
parent
51e314f65a
commit
5b62013f27
1 changed files with 12 additions and 2 deletions
14
rfc/xr.go
14
rfc/xr.go
|
|
@ -364,18 +364,28 @@ window.addEventListener('hashchange', function() {
|
|||
})
|
||||
function hashlink2src(s) {
|
||||
const t = s.split(':')
|
||||
if (t.length > 2 || t[0].startsWith('/') || t[0].includes('..')) {
|
||||
return ''
|
||||
}
|
||||
let h = t[0]+'.html'
|
||||
if (t.length === 2) {
|
||||
h += '#L'+t[1]
|
||||
}
|
||||
h = './'+h
|
||||
console.log('hashlink', s, h)
|
||||
return h
|
||||
}
|
||||
function updateIframes() {
|
||||
const h = location.hash.length > 1 ? location.hash.substring(1) : 'code,rfc'
|
||||
const t = h.split(',')
|
||||
codeiframe.src = hashlink2src(t[0])
|
||||
rfciframe.src = hashlink2src(t[1])
|
||||
const codesrc = hashlink2src(t[0])
|
||||
const rfcsrc = hashlink2src(t[1])
|
||||
codeiframe.src = codesrc
|
||||
rfciframe.src = rfcsrc
|
||||
if (codesrc) {
|
||||
codefile.innerText = t[0]
|
||||
rfcfile.innerText = t[1]
|
||||
}
|
||||
}
|
||||
window.addEventListener('load', function() {
|
||||
console.log('document load')
|
||||
|
|
|
|||
Loading…
Reference in a new issue